services.exe et virus

[Malekal_morte]

Quand gmer a dit qu'il a trouvé un rootkit, il a du te mettre des lignes en rouge c'était lesquelles?

Tu peux poster ton rapport Antivir ici stp.

[diaph16]

Il m'a mit une fenêtre et je pouvait cliquer sur OK c'est tout

 

Voilà le log antivir

 

 

 

AntiVir PersonalEdition Classic

Report file date: jeudi 5 avril 2007 14:08

 

Scanning for 725682 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: MERAHI Youcef

Computer name: HCA-4UOSTV9DEMJ

 

Version information:

BUILD.DAT : 217 12749 Bytes 05/12/2006 17:00:00

AVSCAN.EXE : 7.0.3.5 208936 Bytes 05/04/2007 12:58:40

AVSCAN.DLL : 7.0.3.1 35880 Bytes 05/12/2006 16:00:22

LUKE.DLL : 7.0.3.2 143400 Bytes 31/10/2006 16:07:46

LUKERES.DLL : 7.0.2.0 9256 Bytes 05/12/2006 16:00:22

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 15:30:06

ANTIVIR1.VDF : 6.37.1.151 4303360 Bytes 23/02/2007 12:58:43

ANTIVIR2.VDF : 6.38.0.154 498176 Bytes 01/04/2007 12:58:43

ANTIVIR3.VDF : 6.38.0.182 108544 Bytes 05/04/2007 12:58:43

AVEWIN32.DLL : 7.3.1.48 2388480 Bytes 05/04/2007 12:58:45

AVPREF.DLL : 7.0.2.0 23592 Bytes 03/11/2006 10:53:44

AVREP.DLL : 6.38.0.90 1204264 Bytes 05/04/2007 12:58:43

AVRPBASE.DLL : 7.0.0.0 2162728 Bytes 30/03/2006 08:43:31

AVPACK32.DLL : 7.3.0.8 360488 Bytes 05/04/2007 12:58:45

AVREG.DLL : 7.0.1.2 30760 Bytes 05/04/2007 12:58:40

NETNT.DLL : No Information!

RCIMAGE.DLL : 7.0.1.3 2097192 Bytes 08/11/2006 12:26:26

RCTEXT.DLL : 7.0.12.1 77864 Bytes 05/12/2006 16:00:21

 

Configuration settings for the scan:

Jobname..........................: Manual Selection

Configuration file...............: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: E:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: jeudi 5 avril 2007 14:08

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Modules have been scanned

Scan process 'avcenter.exe' - '1' Modules have been scanned

Scan process 'explorer.exe' - '1' Modules have been scanned

Scan process 'svchost.exe' - '1' Modules have been scanned

Scan process 'svchost.exe' - '1' Modules have been scanned

Scan process 'svchost.exe' - '1' Modules have been scanned

Scan process 'lsass.exe' - '1' Modules have been scanned

Scan process 'services.exe' - '1' Modules have been scanned

Scan process 'winlogon.exe' - '1' Modules have been scanned

Scan process 'csrss.exe' - '1' Modules have been scanned

Scan process 'smss.exe' - '1' Modules have been scanned

11 processes with 11 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'E:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( 16 files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\WINDOWS\system32\huy32.sys

[DETECTION] Is the Trojan horse TR/Rootkit.Gen

[iNFO] The file was moved to '468e0dfc.qua'!

C:\WINDOWS\system32\drivers\sptd.sys

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\sptd8013.sys

[WARNING] The file could not be opened!

Begin scan in 'E:\' <CAMILLOU>

E:\autorun.inf

[DETECTION] Contains signature of the VBS script virus VBS/IETitle.A

[iNFO] The file was deleted!

E:\MS32DLL.dll.vbs

[DETECTION] Contains signature of the VBS script virus VBS/IETitle.C

[iNFO] The file was deleted!

 

 

End of the scan: jeudi 5 avril 2007 16:04

Used time: 1:55:49 min

 

The scan has been done completely.

 

7415 Scanning directories

264806 Files were scanned

3 viruses and/or unwanted programs were found

2 files were deleted

0 files were repaired

1 files were moved to quarantine

0 files were renamed

3 Files cannot be scanned

264803 Files not concerned

2826 Archives were scanned

3 Warnings

1 Notes

[Malekal_morte]

Télécharge ce fichier (par ejvindh)

http://www.uploads.ejvindh.net/rustbfix.exe

...et sauvegarde-le sur ton Bureau.

 

Double clique rustbfix.exe afin de lancer l'outil.

Si une infection Rustock.b est détectée, une invite t'indiquera qu'il est nécessaire de redémarrer l'ordi. Ce redémarrage pourrait être plus long que d'habitude, et il est possible que deux redémarrages soient requis. Tout cela se fera automatiquement.

Suite au(x) redémarrage(s), deux rapports s'ouvriront : (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Poste (Copie/Colle) le contenu de ces deux rapports, ainsi qu'un nouveau log HijackThis dans ta prochaine réponse.

[diaph16]

************************* Rustock.b-fix -- By ejvindh *************************

05/04/2007 20:32:49,04

 

No Rustock.b-rootkits found

 

******************************* End of Logfile ********************************

[Malekal_morte]

Sélectionne cette liste dans le cadre :

 

drivers to unload:

huy32

 

Files to Delete:

C:\WINDOWS\system32\huy32.sys

E:\MS32DLL.dll.vbs

E:\autorun.inf

--> Clic droit copier

 

- Ouvre le Bloc-Note et clic sur le menu Edition/Coller afin de coller le contenu qui est dans le cadre ci-dessus

Important : Tu dois avoir le contenu du cadre ci-dessous dans le bloc-note, vérifié qu'il n'y a pas de lignes manquantes au début ou à la fin.

- Enregistre le fichier sur ton bureau sous le nom remove.txt

 

- Télécharge The Avenger de Swandog46

- Dézip le contenu de l'archive sur ton bureau et double-clic sur avenger.exe

- Clique sur "Ok"

- Sélectionne "Load Script from File" et clique sur l'icône en forme de dossier.

- Sélectionne le fichier remove.txt qui est sur ton bureau

- Clique sur le feu vert pour lancer le script

- Clique sur "Oui"

- Accepte de redémarrer ton pc.

 

Quand le PC a redémarre ouvre le fichier C:\avenger.txt et copie/colle le contenu ici.

[diaph16]

voilà ce qui était en rouge dans gmer

Module (noname) (*** hidden *** ) F7BB9000

[Malekal_morte]

OK fais la partie the avenger demandée dans le message précédent et poste le rapport ici.

[diaph16]

OK fais la partie the avenger demandée dans le message précédent et poste le rapport ici.

 

voilà le log

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\^xrokdpi

 

*******************

 

Script file located at: \??\C:\WINDOWS\hxmwqcqq.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

Registry key \Registry\Machine\System\CurrentControlSet\Services\huy32 not found!

Unload of driver huy32 failed!

 

Could not process line:

huy32

Status: 0xc0000034

 

 

 

File C:\WINDOWS\system32\huy32.sys not found!

Deletion of file C:\WINDOWS\system32\huy32.sys failed!

 

Could not process line:

C:\WINDOWS\system32\huy32.sys

Status: 0xc0000034

 

 

 

Could not open file E:\MS32DLL.dll.vbs for deletion

Deletion of file E:\MS32DLL.dll.vbs failed!

 

Could not process line:

E:\MS32DLL.dll.vbs

Status: 0xc000003a

 

 

 

Could not open file E:\autorun.inf for deletion

Deletion of file E:\autorun.inf failed!

 

Could not process line:

E:\autorun.inf

Status: 0xc000003a

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

[Malekal_morte]

Refais un scan Antivir et poste le rapport ici.

[diaph16]

Refais un scan Antivir et poste le rapport ici.

 

 

 

 

AntiVir PersonalEdition Classic

Report file date: jeudi 5 avril 2007 21:55

 

Scanning for 725779 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: MERAHI Youcef

Computer name: HCA-4UOSTV9DEMJ

 

Version information:

BUILD.DAT : 217 12749 Bytes 05/12/2006 17:00:00

AVSCAN.EXE : 7.0.3.5 208936 Bytes 05/04/2007 20:50:31

AVSCAN.DLL : 7.0.3.1 35880 Bytes 05/12/2006 16:00:22

LUKE.DLL : 7.0.3.2 143400 Bytes 31/10/2006 16:07:46

LUKERES.DLL : 7.0.2.0 9256 Bytes 05/12/2006 16:00:22

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 15:30:06

ANTIVIR1.VDF : 6.37.1.151 4303360 Bytes 23/02/2007 20:50:34

ANTIVIR2.VDF : 6.38.0.154 498176 Bytes 01/04/2007 20:50:34

ANTIVIR3.VDF : 6.38.0.183 109568 Bytes 05/04/2007 20:50:34

AVEWIN32.DLL : 7.3.1.48 2388480 Bytes 05/04/2007 20:50:42

AVPREF.DLL : 7.0.2.0 23592 Bytes 03/11/2006 10:53:44

AVREP.DLL : 6.38.0.90 1204264 Bytes 05/04/2007 20:50:36

AVRPBASE.DLL : 7.0.0.0 2162728 Bytes 30/03/2006 08:43:31

AVPACK32.DLL : 7.3.0.8 360488 Bytes 05/04/2007 20:50:45

AVREG.DLL : 7.0.1.2 30760 Bytes 05/04/2007 20:50:31

NETNT.DLL : No Information!

RCIMAGE.DLL : 7.0.1.3 2097192 Bytes 08/11/2006 12:26:26

RCTEXT.DLL : 7.0.12.1 77864 Bytes 05/12/2006 16:00:21

 

Configuration settings for the scan:

Jobname..........................: Manual Selection

Configuration file...............: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: E:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: jeudi 5 avril 2007 21:55

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Modules have been scanned

Scan process 'avcenter.exe' - '1' Modules have been scanned

Scan process 'explorer.exe' - '1' Modules have been scanned

Scan process 'svchost.exe' - '1' Modules have been scanned

Scan process 'svchost.exe' - '1' Modules have been scanned

Scan process 'svchost.exe' - '1' Modules have been scanned

Scan process 'lsass.exe' - '1' Modules have been scanned

Scan process 'services.exe' - '1' Modules have been scanned

Scan process 'winlogon.exe' - '1' Modules have been scanned

Scan process 'csrss.exe' - '1' Modules have been scanned

Scan process 'smss.exe' - '1' Modules have been scanned

11 processes with 11 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'E:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( 16 files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\sptd.sys

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\sptd8013.sys

[WARNING] The file could not be opened!

Begin scan in 'E:\' <CAMILLOU>

 

 

End of the scan: jeudi 5 avril 2007 23:44

Used time: 1:48:56 min

 

The scan has been done completely.

 

7430 Scanning directories

265133 Files were scanned

0 viruses and/or unwanted programs were found

0 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

3 Files cannot be scanned

265133 Files not concerned

2842 Archives were scanned

3 Warnings

1 Notes