SebLaw

Pas de probleme avec repar.bat. Il a copié les deux fichiers. Je redémarre en mode normal avec internet pour installer la firewall. Aucun problème pour les fichiers infectés, dis moi juste où je les trouve.

C'est fait ! Le bureau est revenu nickel. Merci encore

Combofix a fini. J'ai eu le log en pop-up et la fenetre Dos de combo s'est fermée. Par contre, je reste avec un bureau vide. Je dois rebooter avec Ctrl-Alt-Del ? Ci-dessous le rapport ComboFix : ComboFix 09-08-18.01 - Claude Goulet 19/08/2009 12:26.1.1 - NTFSx86 NETWORK Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.511.381 [GMT 2:00] Running from: c:\documents and settings\Claude Goulet\Bureau\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090707-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Bureau\avast! Antivirus.lnk c:\documents and settings\Claude Goulet\Local Settings\Temporary Internet Files\aqetafiza.vbs c:\documents and settings\Claude Goulet\Local Settings\Temporary Internet Files\epalojel.vbs c:\documents and settings\Claude Goulet\Local Settings\Temporary Internet Files\omiwotofoh.db c:\documents and settings\Claude Goulet\Local Settings\Temporary Internet Files\tuqa.vbs c:\documents and settings\Claude Goulet\Local Settings\Temporary Internet Files\usip.pif c:\documents and settings\Claude Goulet\RavMonLog c:\program files\Internet Explorer\ws2help.dll c:\program files\Windows Media Player\ws2help.dll c:\recycler\S-1-5-21-602863079-3764293057-1177510727-1003 C:\smp.bat c:\windows\010112010146120114.xe c:\windows\0101120101464949.xe c:\windows\Installer\6838.msi c:\windows\system32\rnaph.dll . ((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 ))))))))))))))))))))))))))))))) . 2009-08-17 16:05 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-17 16:05 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-17 16:05 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-08-17 16:05 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-17 16:05 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-17 16:05 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-17 16:05 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-08-17 16:05 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-08-17 16:05 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-17 16:05 . 2009-08-17 16:05 -------- d-----w- c:\program files\Alwil Software 2009-08-16 14:51 . 2009-08-16 14:51 -------- d-----w- c:\documents and settings\Claude Goulet\Application Data\Malwarebytes 2009-08-16 14:16 . 2009-08-16 14:16 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes 2009-08-16 14:16 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-16 14:16 . 2009-08-16 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-16 14:16 . 2009-08-16 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-16 14:16 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-16 10:15 . 2009-08-16 10:15 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\Mozilla . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-19 09:00 . 2005-12-30 13:12 -------- d-----w- c:\program files\Wanadoo 2009-08-19 08:57 . 2006-07-26 11:38 -------- d-----w- c:\documents and settings\Claude Goulet\Application Data\OpenOffice.org2 2009-08-19 08:56 . 2009-01-18 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-08-18 09:29 . 2005-01-15 21:27 -------- d-----w- c:\program files\Fichiers communs\Symantec Shared 2009-08-18 09:23 . 2005-01-15 21:28 -------- d-----w- c:\program files\Norton AntiVirus 2009-08-18 08:49 . 2005-01-15 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-14 06:17 . 1979-12-31 23:00 619200 ----a-w- c:\windows\system32\drivers\ntfs.sys 2009-07-28 21:18 . 2008-09-01 12:07 -------- d-----w- c:\documents and settings\Claude Goulet\Application Data\dvdcss 2009-06-19 12:57 . 2009-06-19 12:55 1878984 ----a-w- c:\documents and settings\Claude Goulet\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe 2006-06-15 15:34 . 2005-12-21 18:45 278528 ----a-w- c:\program files\Fichiers communs\FDEUnInstaller.exe 2007-12-06 16:14 . 2007-12-06 16:14 90112 ----a-w- c:\program files\mozilla firefox\components\FireDlmgrGate.dll . ------- Sigcheck ------- [-] 2009-08-14 06:17 619200 5D407322AA69AC6E7B17C81B48DEB327 c:\windows\system32\dllcache\ntfs.sys [-] 2009-08-14 06:17 619200 5D407322AA69AC6E7B17C81B48DEB327 c:\windows\system32\drivers\ntfs.sys c:\windows\system32\drivers\beep.sys ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WOOKIT"="c:\progra~1\Wanadoo\Shell.exe" [2004-08-23 122880] "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-07 131072] "eRecoveryService"="c:\windows\System32\Check.exe" [2004-11-24 245760] "WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2004-08-23 20480] "WOOTASKBARICON"="c:\progra~1\Wanadoo\GestMaj.exe" [2004-10-14 32768] "EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608] "Fnac"="c:\program files\Fnac\Fnac.exe" [2008-07-21 860256] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-05 15360] c:\documents and settings\Claude Goulet\Menu D‚marrer\Programmes\D‚marrage\ Adobe Gamma.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-1 110592] OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440] c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\ Adobe Gamma Loader.exe.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-1 110592] Adobe Gamma Loader.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-1 110592] DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-12-30 954475] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2006-12-25 155715] VPN Client.lnk - c:\windows\Installer\{229205AC-74D7-4045-BE2E-F3276B498EF1}\Icon3E5562ED7.ico [2008-1-13 6144] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "16577:TCP"= 16577:TCP:*:Disabled:NortonAV "16630:TCP"= 16630:TCP:*:Disabled:NortonAV "18813:TCP"= 18813:TCP:*:Disabled:NortonAV "18371:TCP"= 18371:TCP:*:Disabled:NortonAV "15685:TCP"= 15685:TCP:*:Disabled:NortonAV "13344:TCP"= 13344:TCP:*:Disabled:NortonAV "12188:TCP"= 12188:TCP:*:Disabled:NortonAV "12965:TCP"= 12965:TCP:*:Disabled:NortonAV "16611:TCP"= 16611:TCP:*:Disabled:NortonAV "12224:TCP"= 12224:TCP:*:Disabled:NortonAV "13553:TCP"= 13553:TCP:*:Disabled:NortonAV "13747:TCP"= 13747:TCP:*:Disabled:NortonAV "15808:TCP"= 15808:TCP:*:Disabled:NortonAV "14991:TCP"= 14991:TCP:*:Disabled:NortonAV "14277:TCP"= 14277:TCP:*:Disabled:NortonAV "13411:TCP"= 13411:TCP:*:Disabled:NortonAV "13877:TCP"= 13877:TCP:*:Disabled:NortonAV "18169:TCP"= 18169:TCP:*:Disabled:NortonAV "14018:TCP"= 14018:TCP:*:Disabled:NortonAV "13714:TCP"= 13714:TCP:*:Disabled:NortonAV "16854:TCP"= 16854:TCP:*:Disabled:NortonAV "14346:TCP"= 14346:TCP:*:Disabled:NortonAV "16737:TCP"= 16737:TCP:*:Disabled:NortonAV "18948:TCP"= 18948:TCP:*:Disabled:NortonAV "16430:TCP"= 16430:TCP:*:Disabled:NortonAV "18291:TCP"= 18291:TCP:*:Disabled:NortonAV "12149:TCP"= 12149:TCP:*:Disabled:NortonAV "13753:TCP"= 13753:TCP:*:Disabled:NortonAV "17982:TCP"= 17982:TCP:*:Disabled:NortonAV "17211:TCP"= 17211:TCP:*:Disabled:NortonAV "12344:TCP"= 12344:TCP:*:Disabled:NortonAV "15195:TCP"= 15195:TCP:*:Disabled:NortonAV "16356:TCP"= 16356:TCP:*:Disabled:NortonAV "12174:TCP"= 12174:TCP:*:Disabled:NortonAV "14080:TCP"= 14080:TCP:*:Disabled:NortonAV "13315:TCP"= 13315:TCP:*:Disabled:NortonAV "14795:TCP"= 14795:TCP:*:Disabled:NortonAV "12897:TCP"= 12897:TCP:*:Disabled:NortonAV "18036:TCP"= 18036:TCP:*:Disabled:NortonAV "14612:TCP"= 14612:TCP:*:Disabled:NortonAV "16648:TCP"= 16648:TCP:*:Disabled:NortonAV "14585:TCP"= 14585:TCP:*:Disabled:NortonAV "17687:TCP"= 17687:TCP:*:Disabled:NortonAV "16750:TCP"= 16750:TCP:*:Disabled:NortonAV "18100:TCP"= 18100:TCP:*:Disabled:NortonAV "14769:TCP"= 14769:TCP:*:Disabled:NortonAV "13158:TCP"= 13158:TCP:*:Disabled:NortonAV R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [01/01/1980 01:00 16640] S1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [17/08/2009 18:05 114768] S2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/08/2009 18:05 20560] S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [13/01/2008 14:42 399032] S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [20/12/2007 17:53 22136] S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\drivers\vpnva.sys [13/01/2008 14:42 24176] . Contents of the 'Scheduled Tasks' folder 2009-08-19 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-18 21:28] 2005-01-15 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-01-15 10:22] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: {{1DAA624F-A7AB-4b31-97A4-67205FF6963C} - c:\program files\mrbookmakerfrMPP\MPPoker.exe Trusted Zone: fnac.com\vod TCP: {EC91EEF2-F4F0-43F7-8C71-2C0E40B746FA} = 164.81.1.4,164.81.1.5 DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-sci.unilim.fr/CACHE/webvpn/stc/1/binaries/stcweb.cab DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn-sci.unilim.fr/CACHE/stc/1/binaries/vpnweb.cab FF - ProfilePath - c:\documents and settings\Claude Goulet\Application Data\Mozilla\Firefox\Profiles\6l6l96fd.default\ FF - component: c:\program files\Mozilla Firefox\components\FireDlmgrGate.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-19 12:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(496) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-08-19 12:32 ComboFix-quarantined-files.txt 2009-08-19 10:31 Pre-Run: 44 937 625 600 octets libres Post-Run: 44 912 398 336 octets libres 209

Combofix est en cours... Aucun problème pour les fichiers. Il faut venir à bout de ces parasites ! Par contre faudra m'expliquer la procédure

J'ai refait un scan avec MBAM mis à jour (ce n'était pas demandé mais il m'a semblé que ça allait de soi). J'embraye sur combofix pour le prochain message. Ci-dessous le dernier log de MBAM : Malwarebytes' Anti-Malware 1.40 Database version: 2653 Windows 5.1.2600 Service Pack 2 (Safe Mode) 19/08/2009 12:15:07 mbam-log-2009-08-19 (12-15-07).txt Scan type: Quick Scan Objects scanned: 89431 Time elapsed: 1 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INSTALL.EXE (Trojan.Dropper) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Claude Goulet\Local Settings\Temp\INSTALL.EXE (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Claude Goulet\Local Settings\Temp\zazodin_1250682820.exe (Worm.KoobFace) -> Quarantined and deleted successfully. C:\Documents and Settings\Claude Goulet\Local Settings\Temporary Internet Files\Content.IE5\1847HP0H\pp.11[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully. C:\Documents and Settings\Claude Goulet\Local Settings\Temporary Internet Files\Content.IE5\A1VWL0RU\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Documents and Settings\Claude Goulet\Local Settings\Temporary Internet Files\Content.IE5\S5UN8LMB\prx[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M6S6M068\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\WINDOWS\prxid93ps.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\Claude Goulet\Menu Démarrer\Programmes\Démarrage\ikowin32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Je fais tout ça immédiatement. Juste une petite question, vu que je ne peux avoir internet sur l'ordi infecté, comment je fais si combofix me demande d'aller télécharger la console de récup ?

Merci beaucoup pour la réponse. Je ne peux fonctionner qu'en mode sans échecs et donc sans internet. Mais j'ai MBAM. Je poste un rapport tout de suite. Je lui ai déjà fait faire un nettoyage complet. J'ai pu redémarrer en mode normal mais avec internet débranché physiquement. Dès que je l'ai rebranché, tous les virus sont instantanément revenus et l'ordinateur a coupé. Ci-dessous le log de MBAM réalisé en mode sans échec : Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 5.1.2600 Service Pack 2 (Safe Mode) 19/08/2009 11:45:22 mbam-log-2009-08-19 (11-45-22).txt Scan type: Quick Scan Objects scanned: 88371 Time elapsed: 1 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 6 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Claude Goulet\msword98.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msword98.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. c:\WINDOWS\pp11.exe (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\wpv391250518331.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\wpv921250563654.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\ld12.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully. C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Claude Goulet\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Ci-dessous un rapport HiJackThis réalisé en mode sans échec car pas le temps de lancer le scan en mode normal avant que l'ordi reboot. J'ai l'impression que ce virus est un coriace... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:14:18, on 19/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Claude Goulet\Mes documents\scan.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\GestMaj.exe TaskBarIcon.exe O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Fnac] "C:\Program Files\Fnac\Fnac.exe" /check O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [sysldtray] c:\windows\ld12.exe O4 - HKLM\..\Run: [msword98] C:\WINDOWS\system32\msword98.exe O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe O4 - HKLM\..\Run: [pp] c:\windows\pp11.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|DEFAULT=cnx|PARAM= O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [msword98] C:\Documents and Settings\Claude Goulet\msword98.exe O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [braviax] (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: ikowin32.exe O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: NaturalColorLoad.lnk = ? O4 - Global Startup: VPN Client.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Unibet Fr Poker - {1DAA624F-A7AB-4b31-97A4-67205FF6963C} - C:\Program Files\mrbookmakerfrMPP\MPPoker.exe O9 - Extra button: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe O9 - Extra 'Tools' menuitem: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU) O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://vpn-sci.unilim.fr/CACHE/webvpn/stc/...ries/stcweb.cab O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://vpn-sci.unilim.fr/CACHE/stc/1/binaries/vpnweb.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.lanson.net/svideo3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{EC91EEF2-F4F0-43F7-8C71-2C0E40B746FA}: Domain = unilim.fr O17 - HKLM\System\CCS\Services\Tcpip\..\{EC91EEF2-F4F0-43F7-8C71-2C0E40B746FA}: NameServer = 164.81.1.4,164.81.1.5 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = unilim.fr,,unilim.fr,,unilim.fr, O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = unilim.fr,,unilim.fr,,unilim.fr, O20 - AppInit_DLLs: cru629.dat O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing) O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- End of file - 7348 bytes

Bonjour à tous, Je suis tout nouveau sur ce forum. L'ordinateur de ma mère a été infecté par divers virus qui faisaient rebooter l'ordi au bout de quelques secondes. En mode sans échec, j'ai supprimé les différents fichiers braviax.exe, cru629.dat, beep.sys, figaro.sys, wisdstr.exe, msWord98.exe, le répertoire PC_antispyware_2010 et son contenu ainsi qu'une ribambelle de petits éxécutables aux noms farfelus situés dans plein d'arborescences différentes et dont la date de création semblait indiquer leur nocivité. Ceci fait, j'ai nettoyé la base de registre, désactiver la restauration système. lancé un scan avec mbab qui a trouvé que mon système était propre. J'ai relancé l'ordi en mode normal (XP SP2) en débrachant le cable de connection internet. Puis fait un scan mbab, et avast. Tous les deux étaient OK. L'ordi marchait nickel et j'ai remis un point d'ancrage pour la restauration système. Puis je me suis connecté à internet. Et là, en trente secondes, tous les virus sont revenus. Une erreur a stoppé le svchost. Et l'ordi a rebooté. Et me voilà revenu au point de départ. J'ai énormément de donnée et je serais très embarassé de devoir formater. J'ai regardé les autres posts. Mais je crois que l'emploi de combofix ne doit pas se faire à la légère. Je vous serais très reconnaissant de m'aider sachant que je ne peux accéder à internet de l'ordinateur virussé. Merci