[Résolu] DriveCleaner - Rogue (faux utilitaire de sécurité)

kini1 · le 29 mai 2007

Re,

Désactive ton antivirus.

Réessaye de lancer combofix, et si ca ne marche pas dis moi si il y a un message d'erreur.

Hello Bruce...

je t'ecrit de ma maison!

j'ai jamais vu ca!!!!!

pour ouvrir une page il te faut pas loin de 6minutes...son Bitdefender

vient toujours annoncer les virus qu'il a soit disant bloquer...

rien que pour poster le dernier post il m'as fallu 18 m

alors j'ai telecharger antivir j'ai essayer de le parameter au mieux

je suis parti en mode sans echec j'ai vider les dossiers temp..nettoyer

le disque et lancer antivir....

et la il trouver des virus à la pelle.....

j'ai mis pour quarantaine et je l'ai laisser comme ca......

je pense qu'il va lui falloir 2 h pour faire le scan...

je lui est dit de sauver si il y avait un rapport antivirus...comme ca ja pourrais

te poster le resultat je pense vendredi...car je n'arrive plus a passer chez lui avant!!

Pense tu que j'ai entrepris la bonne formule??

encore un grand merci pour ton aide

Jacks

bruce lee · le 29 mai 2007

Re,

Le truc est que tu es infecté par vundo...

Télécharge Deckard's System Scanner http://deckard.geekstogo.com/dss.exe sur ton bureau

Ferme toutes les applications en cours

Doublie clique sur dss.exe. Tu auras deux messages qui vont apparaitre à l'écran, clique sur OK pour les deux.

Sois patient, le scan peut être long.

A la fin tu auras de nouveau un message disant que bloc-notes va s'ouvrir clique sur OK puis fais un copier/coller de tout son contenu.

kini1 · le 31 mai 2007

Re,

Le truc est que tu es infecté par vundo...

Télécharge Deckard's System Scanner http://deckard.geekstogo.com/dss.exe sur ton bureau

Ferme toutes les applications en cours

Doublie clique sur dss.exe. Tu auras deux messages qui vont apparaitre à l'écran, clique sur OK pour les deux.

Sois patient, le scan peut être long.

A la fin tu auras de nouveau un message disant que bloc-notes va s'ouvrir clique sur OK puis fais un copier/coller de tout son contenu.

Hello Bruce voila le rapport

il me semble qu'il va un peu mieux

bon y a toujours cette barre de security toolbar

merci

Deckard's System Scanner v20070426.43

Run by Perso on 2007-05-31 at 14:23:38

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

29: 2007-05-31 12:23:51 UTC - RP220 - Deckard's System Scanner Restore Point

28: 2007-05-29 15:02:18 UTC - RP219 - AntiVir PersonalEdition Classic - 2007-05-29 17:01

27: 2007-05-28 06:28:09 UTC - RP218 - Software Distribution Service 2.0

26: 2007-05-27 17:51:37 UTC - RP217 - Point de vérification système

25: 2007-05-19 06:30:29 UTC - RP216 - Software Distribution Service 2.0

-- First Restore Point --

1: 2007-03-01 07:12:55 UTC - RP192 - Point de vérification système

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Perso.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 14:25, on 2007-05-31

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Security Tools\iesmn.exe

C:\Program Files\Security Tools\imsmain.exe

C:\Program Files\Softwin\BitDefender9\bdoesrv.exe

C:\progra~1\softwin\bitdef~1\bdnagent.exe

C:\Program Files\Security Tools\imsmn.exe

C:\progra~1\softwin\bitdef~1\bdswitch.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Security Tools\iesmin.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Softwin\BitDefender9\vsserv.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Security Tools\iesmin.exe

C:\Documents and Settings\Perso\Bureau\dss.exe

C:\PROGRA~1\HIJACK~1\Perso.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bluewin.ch/index_f.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {08C99AA7-8187-4811-854D-8CBDA7C2F906} - c:\windows\system32\opbaopb.dll (file missing)

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Explorer Helper - {696A82AF-3AD8-5A16-A1CA-32A59A63A863} - C:\WINDOWS\system\bremct32.dll (file missing)

O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Security Tools\iesplg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Security Tools\iesbpl.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe

O4 - HKLM\..\Run: [spooler SubSystem App] C:\WINDOWS\system32\spooIsv.exe

O4 - HKLM\..\Run: [bDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe

O4 - HKLM\..\Run: [bDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"

O4 - HKLM\..\Run: [bDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe

O4 - HKLM\..\RunServices: [Micros0ft Updote] FmMPacK32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.bluewin.ch/index_f.html

O16 - DPF: {01347765-1965-426B-91A4-AA6BB342B9A3} (InstallerObj Class) - http://www.1-click.com/common/files/instal...hidden-test.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.zebulon.fr/outils/antivirus/kav...can_unicode.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3202F990-3974-4BFA-ABEC-D54D3C6B4D4C}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\..\{3DFC83E6-5612-4887-83BA-13129407C021}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24

O17 - HKLM\System\CS1\Services\Tcpip\..\{3202F990-3974-4BFA-ABEC-D54D3C6B4D4C}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24

O20 - Winlogon Notify: pnctghke - opbaopb.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Mtlmnt5 - c:\windows\system32\drivers\mtlmnt5.sys <Not Verified; ; Modem for Windows NT 5.0>

R3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\slntamr.sys <Not Verified; ; HAMR56>

R3 SlWdmSup - c:\windows\system32\drivers\slwdmsup.sys <Not Verified; Vireo Software; Driver::Works>

S2 FILESpy - c:\program files\softwin\bitdefender9\filespy.sys (file missing)

S2 REGSpy - c:\program files\softwin\bitdefender9\regspy.sys (file missing)

S3 Mtlstrm - c:\windows\system32\drivers\mtlstrm.sys <Not Verified; ; Modem for Windows NT>

S3 NtMtlFax - c:\windows\system32\drivers\ntmtlfax.sys <Not Verified; ; Modem for windows NT>

S3 SlNtHal - c:\windows\system32\drivers\slnthal.sys <Not Verified; ; Modem for windows NT>

S3 V90drv - c:\windows\system32\drivers\v90drv.sys <Not Verified; ; Modem for windows NT>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>

R2 SLService (SmartLinkService) - slserv.exe <Not Verified; ; Modem>

-- Files created between 2007-04-30 and 2007-05-31 -----------------------------

2007-05-31 14:18:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia

2007-05-29 17:41:24 0 --a------ C:\WINDOWS\system32\kernel32.exe

2007-05-29 17:02:49 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic

2007-05-28 17:32:35 0 d-------- C:\VundoFix Backups

2007-05-28 17:23:39 2142 --a------ C:\WINDOWS\system32\tmp.reg

2007-05-28 17:20:00 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-05-28 17:19:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2007-05-28 16:09:27 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>

2007-05-28 16:07:11 0 d-------- C:\Program Files\Navilog1

2007-05-28 15:12:53 0 d-------- C:\WINDOWS\system32\ActiveScan

2007-05-28 15:05:28 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-05-27 18:49:38 202 --a------ C:\WINDOWS\1809.exe

2007-05-21 21:26:41 0 --a------ C:\WINDOWS\update7.exe

2007-05-20 00:14:20 0 d--hs---- C:\FOUND.009

2007-05-19 07:58:26 51200 --a------ C:\WINDOWS\dsb.exe

2007-05-17 23:07:13 20272 --a------ C:\WINDOWS\x.exe

2007-05-17 22:55:29 0 d-------- C:\Program Files\Security Tools

2007-05-13 19:42:28 51200 --a------ C:\WINDOWS\system32\hbaaaaaa.exe

2007-05-05 07:58:02 0 d--hs---- C:\FOUND.008

-- Find3M Report ---------------------------------------------------------------

2007-05-31 14:26:30 81984 --a------ C:\WINDOWS\system32\bdod.bin

2007-05-31 14:08:44 31 --a------ C:\WINDOWS\system32\getfile.dat

2007-05-20 16:45:18 44640 --a------ C:\WINDOWS\system32\ipv6monr.dll

2007-05-16 21:28:30 45664 --a------ C:\WINDOWS\system32\ipv6mons.dll

2007-03-19 11:15:50 21246 --a------ C:\WINDOWS\nsreg.dat

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{08C99AA7-8187-4811-854D-8CBDA7C2F906} c:\windows\system32\opbaopb.dll [x]

{68F9551E-0411-48E4-9AAF-4BC42A6A46BE} C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

{696A82AF-3AD8-5A16-A1CA-32A59A63A863} C:\WINDOWS\system\bremct32.dll [x]

{B8C5186E-EC37-4889-9C2E-F73649FFB7BB} C:\Program Files\Security Tools\iesplg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"CHotkey"="mHotkey.exe"

"Configuration Loader"="scvhost.exe"

"Spooler SubSystem App"="C:\\WINDOWS\\system32\\spooIsv.exe"

"BDMCon"="c:\\progra~1\\softwin\\bitdef~1\\bdmcon.exe"

"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""

"BDNewsAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""

"BDSwitchAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdswitch.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Configuration Loader"="scvhost.exe"

"Micros0ft Updote"="FmMPacK32.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"user32.dll"="C:\\Program Files\\Security Tools\\iesmn.exe"

"rare"="C:\\Program Files\\Security Tools\\imsmain.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{0c5a0fff-9164-493b-93e0-17446374e0a0}"="inflexive"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pnctghke

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"appinit_dlls"="sockspy.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\

Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\

Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Rappels du Calendrier Microsoft Works.lnk]

"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Rappels du Calendrier Microsoft Works.lnk"

"backup"="C:\\WINDOWS\\pss\\Rappels du Calendrier Microsoft Works.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\FICHIE~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "

"item"="Rappels du Calendrier Microsoft Works"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Micros0ft Updote]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="FmMPacK32"

"hkey"="HKLM"

"command"="FmMPacK32.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="WksSb"

"hkey"="HKLM"

"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="WkDetect"

"hkey"="HKCU"

"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NVSvc"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService REG_MULTI_SZ DnsCache\

rpcss REG_MULTI_SZ RpcSs\

imgsvc REG_MULTI_SZ StiSvc\

termsvcs REG_MULTI_SZ TermService\

HTTPFilter REG_MULTI_SZ HTTPFilter\

DcomLaunch REG_MULTI_SZ DcomLaunchTermService\

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*

gb

-- End of Deckard's System Scanner: finished at 2007-05-31 at 14:28:58 ---------

kini1 · le 31 mai 2007

Hello Bruce voila le rapport

il me semble qu'il va un peu mieux

bon y a toujours cette barre de security toolbar

merci

Deckard's System Scanner v20070426.43

Run by Perso on 2007-05-31 at 14:23:38

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

29: 2007-05-31 12:23:51 UTC - RP220 - Deckard's System Scanner Restore Point

28: 2007-05-29 15:02:18 UTC - RP219 - AntiVir PersonalEdition Classic - 2007-05-29 17:01

27: 2007-05-28 06:28:09 UTC - RP218 - Software Distribution Service 2.0

26: 2007-05-27 17:51:37 UTC - RP217 - Point de vérification système

25: 2007-05-19 06:30:29 UTC - RP216 - Software Distribution Service 2.0

-- First Restore Point --

1: 2007-03-01 07:12:55 UTC - RP192 - Point de vérification système

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Perso.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 14:25, on 2007-05-31

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Security Tools\iesmn.exe

C:\Program Files\Security Tools\imsmain.exe

C:\Program Files\Softwin\BitDefender9\bdoesrv.exe

C:\progra~1\softwin\bitdef~1\bdnagent.exe

C:\Program Files\Security Tools\imsmn.exe

C:\progra~1\softwin\bitdef~1\bdswitch.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Security Tools\iesmin.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Softwin\BitDefender9\vsserv.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Security Tools\iesmin.exe

C:\Documents and Settings\Perso\Bureau\dss.exe

C:\PROGRA~1\HIJACK~1\Perso.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bluewin.ch/index_f.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {08C99AA7-8187-4811-854D-8CBDA7C2F906} - c:\windows\system32\opbaopb.dll (file missing)

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Explorer Helper - {696A82AF-3AD8-5A16-A1CA-32A59A63A863} - C:\WINDOWS\system\bremct32.dll (file missing)

O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Security Tools\iesplg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Security Tools\iesbpl.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe

O4 - HKLM\..\Run: [spooler SubSystem App] C:\WINDOWS\system32\spooIsv.exe

O4 - HKLM\..\Run: [bDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe

O4 - HKLM\..\Run: [bDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"

O4 - HKLM\..\Run: [bDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe

O4 - HKLM\..\RunServices: [Micros0ft Updote] FmMPacK32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.bluewin.ch/index_f.html

O16 - DPF: {01347765-1965-426B-91A4-AA6BB342B9A3} (InstallerObj Class) - http://www.1-click.com/common/files/instal...hidden-test.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.zebulon.fr/outils/antivirus/kav...can_unicode.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3202F990-3974-4BFA-ABEC-D54D3C6B4D4C}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\..\{3DFC83E6-5612-4887-83BA-13129407C021}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24

O17 - HKLM\System\CS1\Services\Tcpip\..\{3202F990-3974-4BFA-ABEC-D54D3C6B4D4C}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24

O20 - Winlogon Notify: pnctghke - opbaopb.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Mtlmnt5 - c:\windows\system32\drivers\mtlmnt5.sys <Not Verified; ; Modem for Windows NT 5.0>

R3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\slntamr.sys <Not Verified; ; HAMR56>

R3 SlWdmSup - c:\windows\system32\drivers\slwdmsup.sys <Not Verified; Vireo Software; Driver::Works>

S2 FILESpy - c:\program files\softwin\bitdefender9\filespy.sys (file missing)

S2 REGSpy - c:\program files\softwin\bitdefender9\regspy.sys (file missing)

S3 Mtlstrm - c:\windows\system32\drivers\mtlstrm.sys <Not Verified; ; Modem for Windows NT>

S3 NtMtlFax - c:\windows\system32\drivers\ntmtlfax.sys <Not Verified; ; Modem for windows NT>

S3 SlNtHal - c:\windows\system32\drivers\slnthal.sys <Not Verified; ; Modem for windows NT>

S3 V90drv - c:\windows\system32\drivers\v90drv.sys <Not Verified; ; Modem for windows NT>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>

R2 SLService (SmartLinkService) - slserv.exe <Not Verified; ; Modem>

-- Files created between 2007-04-30 and 2007-05-31 -----------------------------

2007-05-31 14:18:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia

2007-05-29 17:41:24 0 --a------ C:\WINDOWS\system32\kernel32.exe

2007-05-29 17:02:49 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic

2007-05-28 17:32:35 0 d-------- C:\VundoFix Backups

2007-05-28 17:23:39 2142 --a------ C:\WINDOWS\system32\tmp.reg

2007-05-28 17:20:00 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-05-28 17:19:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2007-05-28 16:09:27 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>

2007-05-28 16:07:11 0 d-------- C:\Program Files\Navilog1

2007-05-28 15:12:53 0 d-------- C:\WINDOWS\system32\ActiveScan

2007-05-28 15:05:28 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-05-27 18:49:38 202 --a------ C:\WINDOWS\1809.exe

2007-05-21 21:26:41 0 --a------ C:\WINDOWS\update7.exe

2007-05-20 00:14:20 0 d--hs---- C:\FOUND.009

2007-05-19 07:58:26 51200 --a------ C:\WINDOWS\dsb.exe

2007-05-17 23:07:13 20272 --a------ C:\WINDOWS\x.exe

2007-05-17 22:55:29 0 d-------- C:\Program Files\Security Tools

2007-05-13 19:42:28 51200 --a------ C:\WINDOWS\system32\hbaaaaaa.exe

2007-05-05 07:58:02 0 d--hs---- C:\FOUND.008

-- Find3M Report ---------------------------------------------------------------

2007-05-31 14:26:30 81984 --a------ C:\WINDOWS\system32\bdod.bin

2007-05-31 14:08:44 31 --a------ C:\WINDOWS\system32\getfile.dat

2007-05-20 16:45:18 44640 --a------ C:\WINDOWS\system32\ipv6monr.dll

2007-05-16 21:28:30 45664 --a------ C:\WINDOWS\system32\ipv6mons.dll

2007-03-19 11:15:50 21246 --a------ C:\WINDOWS\nsreg.dat

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{08C99AA7-8187-4811-854D-8CBDA7C2F906} c:\windows\system32\opbaopb.dll [x]

{68F9551E-0411-48E4-9AAF-4BC42A6A46BE} C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

{696A82AF-3AD8-5A16-A1CA-32A59A63A863} C:\WINDOWS\system\bremct32.dll [x]

{B8C5186E-EC37-4889-9C2E-F73649FFB7BB} C:\Program Files\Security Tools\iesplg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"CHotkey"="mHotkey.exe"

"Configuration Loader"="scvhost.exe"

"Spooler SubSystem App"="C:\\WINDOWS\\system32\\spooIsv.exe"

"BDMCon"="c:\\progra~1\\softwin\\bitdef~1\\bdmcon.exe"

"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""

"BDNewsAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""

"BDSwitchAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdswitch.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Configuration Loader"="scvhost.exe"

"Micros0ft Updote"="FmMPacK32.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"user32.dll"="C:\\Program Files\\Security Tools\\iesmn.exe"

"rare"="C:\\Program Files\\Security Tools\\imsmain.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{0c5a0fff-9164-493b-93e0-17446374e0a0}"="inflexive"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pnctghke

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"appinit_dlls"="sockspy.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\

Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\

Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Rappels du Calendrier Microsoft Works.lnk]

"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Rappels du Calendrier Microsoft Works.lnk"

"backup"="C:\\WINDOWS\\pss\\Rappels du Calendrier Microsoft Works.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\FICHIE~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "

"item"="Rappels du Calendrier Microsoft Works"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Micros0ft Updote]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="FmMPacK32"

"hkey"="HKLM"

"command"="FmMPacK32.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="WksSb"

"hkey"="HKLM"

"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="WkDetect"

"hkey"="HKCU"

"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NVSvc"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService REG_MULTI_SZ DnsCache\

rpcss REG_MULTI_SZ RpcSs\

imgsvc REG_MULTI_SZ StiSvc\

termsvcs REG_MULTI_SZ TermService\

HTTPFilter REG_MULTI_SZ HTTPFilter\

DcomLaunch REG_MULTI_SZ DcomLaunchTermService\

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*

gb

-- End of Deckard's System Scanner: finished at 2007-05-31 at 14:28:58 ---------

Hello je dois m'absenter je te poste en plus le rapport

antivir que j'ai fait en mode sans echec

merci

AntiVir PersonalEdition Classic

Report file date: 2007-05-29 17:45

Scanning for 740715 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: Perso

Computer name: NOM-FAJKDOF30K5

Version information:

BUILD.DAT : 247 14437 Bytes 10/05/2007 11:55:00

AVSCAN.EXE : 7.0.4.15 282664 Bytes 20/04/2007 11:37:16

AVSCAN.DLL : 7.0.4.4 33832 Bytes 27/03/2007 11:31:56

LUKE.DLL : 7.0.4.11 143400 Bytes 27/03/2007 11:26:06

LUKERES.DLL : 7.0.4.0 10280 Bytes 19/03/2007 11:19:00

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 13:08:58

ANTIVIR1.VDF : 6.37.1.151 4303360 Bytes 23/02/2007 13:09:02

ANTIVIR2.VDF : 6.38.0.214 729600 Bytes 12/04/2007 13:09:02

ANTIVIR3.VDF : 6.38.0.225 50688 Bytes 16/04/2007 13:09:02

AVEWIN32.DLL : 7.4.0.12 2404864 Bytes 13/04/2007 13:04:24

AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 09:36:28

AVPREF.DLL : 7.0.2.1 24616 Bytes 27/03/2007 11:31:52

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24

AVPACK32.DLL : 7.3.0.8 360488 Bytes 27/03/2007 07:48:30

AVREG.DLL : 7.0.1.2 31784 Bytes 15/03/2007 08:05:10

AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 27/03/2007 11:16:06

AVARKT.DLL : 1.0.0.17 278568 Bytes 02/05/2007 10:32:28

NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 10:09:44

RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 13/03/2007 09:46:20

RCTEXT.DLL : 7.0.45.0 86056 Bytes 19/03/2007 11:42:44

Configuration settings for the scan:

Jobname..........................: Local Drives

Configuration file...............: C:\Program Files\AntiVir PersonalEdition Classic\alldrives.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: H:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: 2007-05-29 17:45

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'Explorer.EXE' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

12 processes with 12 modules were scanned

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'D:\'

[NOTE] No virus was found!

Boot sector 'E:\'

[NOTE] No virus was found!

Boot sector 'F:\'

[NOTE] No virus was found!

Boot sector 'G:\'

[NOTE] No virus was found!

Boot sector 'A:\'

[NOTE] In the drive 'A:\' no data medium is inserted!

Starting to scan the registry.

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\MS_update_0704_KB74073.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[iNFO] The file was moved to '46bb4af5.qua'!

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\MS_update_0704_KB74073.exe

[DETECTION] Contains suspicious code HEUR/Crypted

The registry was scanned ( '17' files ).

Starting the file scan:

Begin scan in 'C:\' <WINXP_02C>

C:\tool.exe

[DETECTION] Is the Trojan horse TR/Spy.LowZones.CT

[iNFO] The file was moved to '46cb4b15.qua'!

C:\23100247.exe

[DETECTION] Is the Trojan horse TR/Dldr.Small.dlw

[iNFO] The file was moved to '468d4adb.qua'!

C:\PAGEFILE.SYS

[WARNING] The file could not be opened!

C:\asasa.exe

[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen

[iNFO] The file was moved to '46bd4b1d.qua'!

C:\syst.exe

[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen

[iNFO] The file was moved to '46cf4b25.qua'!

C:\WINDOWS\update.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '46c04b24.qua'!

C:\WINDOWS\system32\equoaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d14b2b.qua'!

C:\WINDOWS\system32\paqhvcdl.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cd4b29.qua'!

C:\WINDOWS\system32\peifqnga.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '46c54b2f.qua'!

C:\WINDOWS\system32\yffpaaaa.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[iNFO] The file was moved to '46c24b39.qua'!

C:\WINDOWS\system32\eubrsvvv.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46be4b4b.qua'!

C:\WINDOWS\system32\wtfyujkw.exe

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '46c24b50.qua'!

C:\WINDOWS\system32\opbaopb.dll

[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen

[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003

[WARNING] The file could not be deleted!

C:\WINDOWS\system32\fihxxgoy.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c44b5a.qua'!

C:\WINDOWS\system32\kiinaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c54b5e.qua'!

C:\WINDOWS\system32\puiyxaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c54b6c.qua'!

C:\WINDOWS\system32\tygcaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c34b75.qua'!

C:\WINDOWS\system32\fiiylyeq.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c54b66.qua'!

C:\WINDOWS\system32\ehxbaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d44b66.qua'!

C:\WINDOWS\system32\hxbtyaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46be4b76.qua'!

C:\WINDOWS\system32\yeqkaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cd4b64.qua'!

C:\WINDOWS\system32\sumhxpat.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c94b74.qua'!

C:\WINDOWS\system32\wjlpvfcx.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c84b69.qua'!

C:\WINDOWS\system32\ioyhnaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d54b6f.qua'!

C:\WINDOWS\system32\glghfjeb.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c34b6e.qua'!

C:\WINDOWS\system32\cehnoaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c44b67.qua'!

C:\WINDOWS\system32\wjmitaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c94b6d.qua'!

C:\WINDOWS\system32\xedlkkjq.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c04b68.qua'!

C:\WINDOWS\system32\kagugwuq.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c34b64.qua'!

C:\WINDOWS\system32\sygaaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c34b7d.qua'!

C:\WINDOWS\system32\aafjaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c24b65.qua'!

C:\WINDOWS\system32\mtvwaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d24b79.qua'!

C:\WINDOWS\system32\kegfbaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c34b6b.qua'!

C:\WINDOWS\system32\vuoxujuf.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cb4b7d.qua'!

C:\WINDOWS\system32\kehjtrmo.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c44b6d.qua'!

C:\WINDOWS\system32\layappai.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d54b69.qua'!

C:\WINDOWS\system32\kewxurty.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d34b6e.qua'!

C:\WINDOWS\system32\hdtiaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d04b6d.qua'!

C:\WINDOWS\system32\lutuaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d04b7f.qua'!

C:\WINDOWS\system32\nshgwaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c44b7d.qua'!

C:\WINDOWS\system32\toowplgd.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cb4b7b.qua'!

C:\WINDOWS\system32\pdgaaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c34b70.qua'!

C:\WINDOWS\system32\mwvaaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d24b84.qua'!

C:\WINDOWS\system32\uyqrbwrr.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cd4b86.qua'!

C:\WINDOWS\system32\luiyiaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c54b82.qua'!

C:\WINDOWS\system32\hxwftpls.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d34b86.qua'!

C:\WINDOWS\system32\todthwlw.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c04b7d.qua'!

C:\WINDOWS\system32\qjhebbyx.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c44b78.qua'!

C:\WINDOWS\system32\mxtclerq.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d04b87.qua'!

C:\WINDOWS\system32\ueuspbym.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d14b74.qua'!

C:\WINDOWS\system32\oaranaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46ce4b71.qua'!

C:\WINDOWS\system32\laomiqyf.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cb4b72.qua'!

C:\WINDOWS\system32\hxeuebtf.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c14b8a.qua'!

C:\WINDOWS\system32\nsioyaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c54b85.qua'!

C:\WINDOWS\system32\yeykyfjm.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d54b77.qua'!

C:\WINDOWS\system32\vtytlaqn.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d54b87.qua'!

C:\WINDOWS\system32\wmcyaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46bf4b81.qua'!

C:\WINDOWS\system32\sdwxakhf.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d34b79.qua'!

C:\WINDOWS\system32\oabqaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47340d5b.qua'!

C:\WINDOWS\system32\aeapwuud.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46bd4b7b.qua'!

C:\WINDOWS\system32\bffbaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c24b7c.qua'!

C:\WINDOWS\system32\rsnruqas.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46ca4b8a.qua'!

C:\WINDOWS\system32\oagaaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c34b78.qua'!

C:\WINDOWS\system32\uejtaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c64b7c.qua'!

C:\WINDOWS\system32\xitsrapy.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d04b81.qua'!

C:\WINDOWS\system32\cifpaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c24b82.qua'!

C:\WINDOWS\system32\nxsaqaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cf4b91.qua'!

C:\WINDOWS\system32\kecbfucn.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46bf4b7e.qua'!

C:\WINDOWS\system32\uekiucnx.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c74b80.qua'!

C:\WINDOWS\system32\pikckews.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c74b85.qua'!

C:\WINDOWS\system32\aijkdjus.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c64b85.qua'!

C:\WINDOWS\system32\wrpjpaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cc4b8f.qua'!

C:\WINDOWS\system32\yfuqaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d14b83.qua'!

C:\WINDOWS\system32\nxwadjtm.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d34b96.qua'!

C:\WINDOWS\system32\yfkavlbh.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c74b84.qua'!

C:\WINDOWS\system32\nxahcoeg.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46bd4b98.qua'!

C:\WINDOWS\system32\lefmevnq.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c24b86.qua'!

C:\WINDOWS\system32\lvhaetda.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c44b98.qua'!

C:\WINDOWS\system32\ovdrnkdv.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c04b99.qua'!

C:\WINDOWS\system32\euaodrtc.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47370db5.qua'!

C:\WINDOWS\system32\isrpoaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46ce4b97.qua'!

C:\WINDOWS\system32\qgiieaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c54b8b.qua'!

C:\WINDOWS\system32\iomwlkhq.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c94b95.qua'!

C:\WINDOWS\system32\tpjaqqaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c64b9d.qua'!

C:\WINDOWS\system32\jkdpfaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c04b98.qua'!

C:\WINDOWS\system32\ueibaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c54b93.qua'!

C:\WINDOWS\system32\tpqxsnrf.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46cd4b9e.qua'!

C:\WINDOWS\system32\cedifaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c04b96.qua'!

C:\WINDOWS\system32\uacicqxu.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46bf4b92.qua'!

C:\WINDOWS\system32\rsermjxc.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c14ba5.qua'!

C:\WINDOWS\system32\mxuebaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46d14bab.qua'!

C:\WINDOWS\system32\nxleuqkb.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c84bab.qua'!

C:\WINDOWS\system32\tpfulaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c24ba4.qua'!

C:\WINDOWS\system32\TFTP332

[DETECTION] Contains signature of the worm WORM/RBot.130901

[iNFO] The file was moved to '46b04b7a.qua'!

C:\WINDOWS\system32\fershdfs.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46ce4b99.qua'!

C:\WINDOWS\system32\xigaaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c34b9e.qua'!

C:\WINDOWS\system32\wnijaaaa.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '46c54ba3.qua'!

C:\WINDOWS\system32\ayczu.exe

[DETECTION] Is the Trojan horse TR/Dldr.DNSChanger.Gen

[iNFO] The file was moved to '46bf4bae.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OZG1Y9MJ06_regular[1].cab

[0] Archive type: CAB (Microsoft)

--> istactivex.dll

[DETECTION] Is the Trojan horse TR/Dldr.Small.bph.1

[iNFO] The file was moved to '468c4b7b.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S5EN0D27\prompt[1].html

[DETECTION] Contains signature of the Java script virus JS/Dldr.IstBar.J

[iNFO] The file was moved to '46cb4bbd.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S1G9WHGN\MediaTicketsInstaller[1].cab

[0] Archive type: CAB (Microsoft)

--> MediaTicketsInstaller.ocx

[DETECTION] Is the Trojan horse TR/Dldr.Agen.QT.2.D

[iNFO] The file was moved to '46c04bb0.qua'!

C:\WINDOWS\system32\ActiveScan\pskavs.dll

[DETECTION] Contains signature of the Windows virus W95/Blumblebee.1738

[iNFO] The file was moved to '46c74c15.qua'!

C:\WINDOWS\system\bremct32.dll

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '46c14c20.qua'!

C:\WINDOWS\Downloaded Program Files\installer.dll

[DETECTION] Is the Trojan horse TR/Dldr.ClickMe.A.1

[iNFO] The file was moved to '46cf4dfb.qua'!

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46923a7f\AV000013dc$000002cb.AV$

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '468c4fae.qua'!

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46923a7f\AV000013e0$000002ce.AV$

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '4702132b.qua'!

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46923a7f\AV000013c4$000002cf.AV$

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '468c4faf.qua'!

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46923a7f\AV000013b4$000002ca.AV$

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '47021334.qua'!

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46923a7f\AV000013ac$000002cd.AV$

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '468c4fb1.qua'!

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46923a7f\AV000013b4$000002d0.AV$

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '47021336.qua'!

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46923a7f\AV000013ac$000002d1.AV$

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '468c4fb0.qua'!

C:\Documents and Settings\Perso\bleh.exe

[DETECTION] Contains signature of the worm WORM/Agobot.52505

[iNFO] The file was moved to '46c14fca.qua'!

C:\Documents and Settings\Perso\~tmp0374.exe

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '46c94fd3.qua'!

C:\Program Files\Softwin\BitDefender9\Quarantine\spooIsv.exe

[DETECTION] Contains a signature of the (dangerous) backdoor program BDS/PoeBot.B.9 Backdoor server programs

[iNFO] The file was moved to '46cb50d5.qua'!

C:\Program Files\OneClick\AutoUpdate.exe

[DETECTION] Is the Trojan horse TR/Dldr.ClickMe.A.6

[iNFO] The file was moved to '46d050de.qua'!

C:\Program Files\OneClick\OneClick.exe

[DETECTION] Is the Trojan horse TR/Dldr.ClickMe.A.3

[iNFO] The file was moved to '46c150d7.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067005.exe

[DETECTION] Is the Trojan horse TR/Dldr.DNSChanger.Gen

[iNFO] The file was moved to '468c50dc.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067008.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[iNFO] The file was moved to '468c50dd.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067009.exe

[DETECTION] Is the Trojan horse TR/Spy.LowZones.CT

[iNFO] The file was moved to '47071b72.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067010.exe

[DETECTION] Is the Trojan horse TR/Dldr.Small.dlw

[iNFO] The file was moved to '468c50df.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067011.exe

[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen

[iNFO] The file was moved to '468c50de.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067012.exe

[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen

[iNFO] The file was moved to '47071b73.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067013.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '468c50d8.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067014.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b75.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067015.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b4c.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067016.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '468c50e1.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067017.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[iNFO] The file was moved to '47071b4e.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067018.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e0.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067019.exe

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '47071b4d.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067020.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e2.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067021.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b4f.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067022.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e3.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067023.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b48.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067024.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e5.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067025.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b4a.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067026.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50fc.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067027.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b51.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067028.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50fe.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067029.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e7.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067030.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b44.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067031.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e9.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067032.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b46.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067033.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e4.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067034.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b49.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067035.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e6.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067036.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b4b.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067037.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50eb.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067038.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b40.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067039.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50ed.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067040.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b42.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067041.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b53.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067042.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f8.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067043.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b55.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067044.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50fa.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067045.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50ef.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067046.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b5c.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067047.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f1.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067048.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b5e.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067049.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50e8.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067050.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b45.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067051.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50ea.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067052.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b47.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067053.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f3.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067054.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b58.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067055.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f5.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067056.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b57.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067057.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f4.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067058.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b59.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067059.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f6.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067060.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b5a.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067061.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f7.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067062.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b54.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067063.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f9.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067064.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50ec.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067065.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b41.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067066.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50ee.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067067.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b43.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067068.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b56.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067069.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50fb.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067070.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b50.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067071.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50fd.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067072.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b5b.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067073.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f0.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067074.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b5d.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067075.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50f2.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067076.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b52.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067077.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50ff.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067078.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071aac.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067079.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c5101.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067080.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b5f.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067081.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50cc.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067082.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b61.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067083.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50ce.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067084.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071aae.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067085.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c5103.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067086.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071aa8.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067087.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c5105.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067088.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b63.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067089.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50c8.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067090.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b65.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067091.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071aaa.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067092.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c5107.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067093.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071aa4.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067094.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c5109.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067095.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50ca.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067096.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b67.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067097.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c50c4.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067098.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071b69.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067099.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071aa6.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067100.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c510b.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067101.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '47071aa0.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067102.exe

[DETECTION] Is the Trojan horse TR/Zapchast.CA.1

[iNFO] The file was moved to '468c510d.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067103.dll

[DETECTION] Contains signature of the Windows virus W95/Blumblebee.1738

[iNFO] The file was moved to '468c50c6.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067104.dll

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '47071b6b.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067105.exe

[DETECTION] Contains signature of the worm WORM/Agobot.52505

[iNFO] The file was moved to '468c50c0.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067106.exe

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was moved to '47071aa2.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067107.exe

[DETECTION] Contains a signature of the (dangerous) backdoor program BDS/PoeBot.B.9 Backdoor server programs

[iNFO] The file was moved to '468c510f.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067108.exe

[DETECTION] Is the Trojan horse TR/Dldr.ClickMe.A.6

[iNFO] The file was moved to '47071abc.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP219\A0067109.exe

[DETECTION] Is the Trojan horse TR/Dldr.ClickMe.A.3

[iNFO] The file was moved to '468c5111.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP193\A0058837.exe

[DETECTION] Is the Trojan horse TR/Dldr.DNSChanger.Gen

[iNFO] The file was moved to '47071abe.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP213\A0062683.dll

[DETECTION] Is the Trojan horse TR/Spy.BZub.FH.2

[iNFO] The file was moved to '468c512e.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP213\A0062685.exe

[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen

[iNFO] The file was moved to '468c512f.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP213\A0062691.dll

[DETECTION] Is the Trojan horse TR/Spy.BZub.FH.2

[iNFO] The file was moved to '47071a9c.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP214\A0062718.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '468c5131.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP216\A0064811.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '468c5134.qua'!

C:\System Volume Information\_restore{80F67991-5EE3-42F5-ACD0-85E44CAFF994}\RP216\A0065825.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[iNFO] The file was moved to '468c5135.qua'!

C:\Recycled\Dc444.exe

[DETECTION] Is the Trojan horse TR/Spy.BZub.FH.2

[iNFO] The file was moved to '4690516f.qua'!

C:\Recycled\Dc537.exe

[DETECTION] Is the Trojan horse TR/Spy.BZub.FH.2

[iNFO] The file was moved to '469151ad.qua'!

C:\Recycled\Dc538.exe

[DETECTION] Is the Trojan horse TR/Dldr.PP

[iNFO] The file was moved to '47181102.qua'!

C:\Recycled\Dc374.tmp\UniDist.ocx

[DETECTION] Is the Trojan horse TR/Dldr.Dyfuca.BM

[iNFO] The file was moved to '46c551b9.qua'!

C:\Recycled\Dc23.tmp\istactivex.dll

[DETECTION] Is the Trojan horse TR/Dldr.Small.bph.1

[iNFO] The file was moved to '46d051c0.qua'!

C:\Recycled\Dc25.tmp\mm81.ocx

[DETECTION] Is the Trojan horse TR/Dldr.Delf.NK.5

[iNFO] The file was moved to '469451bb.qua'!

C:\Recycled\Dc26.tmp\MediaTicketsInstaller.ocx

[DETECTION] Is the Trojan horse TR/Dldr.Agen.QT.2.D

[iNFO] The file was moved to '46c051b3.qua'!

Begin scan in 'D:\' <ANCIEN_C>

Begin scan in 'E:\' <WINXP_02D>

Begin scan in 'F:\' <RESTORE>

Begin scan in 'G:\' <ANCIEN_D>

Begin scan in 'A:\'

Search path A:\ could not be opened!

Le périphérique n'est pas prêt.

Begin scan in 'H:\'

Search path H:\ could not be opened!

Le périphérique n'est pas prêt.

End of the scan: 2007-05-29 18:15

Used time: 29:52 min

The scan has been done completely.

2354 Scanning directories

147566 Files were scanned

233 viruses and/or unwanted programs were found

18 classified as suspicious:

0 files were deleted

0 files were repaired

232 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

147315 Files not concerned

6525 Archives were scanned

2 Warnings

0 Notes

0 Hidden objects were found

bruce lee · le 31 mai 2007

Bonjour kini1,

Si durant la procédure ci-dessous, il y a des étapes que tu n'as pas reussi a faire, merci de continuer la procédure jusqu'au bout et de les signaler dans ta prochaine reponse.

Je te conseille d'enregistrer la page web compléte sous Internet Explorer comme ceci :

* Clique sur Fichier/Enregistrer sous Dans Type, choisis : Archive web (fichier seul (*.mht) / Enregistre la sur le bureau,comme cela tu retrouvera la mise en forme ou imprime cette réponse. Une partie de la désinfection se déroulera en mode sans échec.

1/Télécharge le FixWareout sur le bureau:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Lance le fix: clique sur Next, puis Install, puis assure toi que "Run fixit" est activé puis clique sur Finish.

Le fix va commencer, suis les messages à l'écran. Il te sera demandé de redémarrer ton ordinateur, fais le. Ton système mettra un peu plus de temps au démarrage, c'est normal.

Quand ton système aura redémarré, suis les invites des messages. Ensuite lance hijackthis en cliquant sur do a scan system only coche ces lignes:

O17 - HKLM\System\CCS\Services\Tcpip\..\{3202F990-3974-4BFA-ABEC-D54D3C6B4D4C}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\..\{3DFC83E6-5612-4887-83BA-13129407C021}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24

O17 - HKLM\System\CS1\Services\Tcpip\..\{3202F990-3974-4BFA-ABEC-D54D3C6B4D4C}: NameServer = 85.255.115.94,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24

Clique sur Fix Checked. Ferme HijackThis et clique sur OK pour continuer la procédure.

A la fin du fix, tu auras peut-être encore besoin de redémarrer le PC.

2/Télécharge puis installe http://www.ewido.net/en/download

Une fois AVG AS lancé, clique sur Mise à jour

Ferme le programme.

3/ Télécharge SDFix(créé par AndyManchesta) et sauvegarde le sur ton Bureau.

4/Télécharge OTMoveIt de OldTimer sur ton Bureau.

5/Ouvre le Bloc-notes (Démarrer\Tous les programmes\Accessoires\Bloc-notes)

6/Copie ce qui est en citation ci-dessous (sans le mot citation) par sélection puis Ctrl-C :

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Micros0ft Updote]

-Enregistrez ce fichier reg dans : Bureau

-Nom du fichier : fixme.reg

-Type du fichier : tous les fichiers

-cliquez sur Enregistrer

-quittez le Bloc Notes

7/Démarre en mode sans échec http://cybersecurite.xooit.com/t88-Demarre...s-echec.htm#665

8/

Démarrer/panneau de configuration/ajout et suppression de programmes et vérifie la présence de:

Security Tools

Si ce programme est présent désinstalle-le.

9/Lance hijackthis en cliquant sur do a scan system only et coche ces lignes:

O2 - BHO: (no name) - {08C99AA7-8187-4811-854D-8CBDA7C2F906} - c:\windows\system32\opbaopb.dll (file missing)

O2 - BHO: Explorer Helper - {696A82AF-3AD8-5A16-A1CA-32A59A63A863} - C:\WINDOWS\system\bremct32.dll (file missing)

O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Security Tools\iesplg.dll

O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Security Tools\iesbpl.dll

O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe

O4 - HKLM\..\Run: [spooler SubSystem App] C:\WINDOWS\system32\spooIsv.exe

O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe

O4 - HKLM\..\RunServices: [Micros0ft Updote] FmMPacK32.exe

O20 - Winlogon Notify: pnctghke - opbaopb.dll (file missing)

Ferme toutes les fenêtres ouvertes sauf Hijackthis et clique sur fix checked

10/ Relance AVG AS puis choisis l'onglet Analyse

Puis l'onglet Paramètres

Sous la question Comment réagir ?, clique sur Actions recommandées et choisis Quarantaine

Reclique sur l'onglet Analyse puis réalise une Analyse complète du système

Si un fichier infecté est détecté en fin d'analyse

Clique sur Appliquer toutes les actions

Clique sur Enregistrer le rapport puis sur Enregistrer le rapport sous

Enregistre ce fichier texte sur ton bureau

11/Utilisation du fichier: fixme.reg précedemment créé

- double cliquez sur le fichier (Bureau) / Acceptez l'avertissement concernant la fusion / ne pas s'étonner de ne rien voir / validez le message disant que la fusion est terminée.

12/* Double cliquer sur smitfraudfix.exe

* Sélectionner 2 dans le menu pour supprimer les fichiers responsables de l'infection.

* A la question: Voulez-vous nettoyer le registre ? répondre O (oui)

sauvegarde le rapport.

13/[*]Double-Clique sur OTMoveIt.exe pour le lancer.

[*]Copie le chemin des fichiers suivants en selectionnant TOUT et en appuyant sur CTRL+C (ou, après avoir sélectionner, clique-droit et choisis Copier) :

C:\WINDOWS\system32\kernel32.exe
C:\WINDOWS\1809.exe

C:\WINDOWS\update7.exe

C:\FOUND.009

C:\WINDOWS\dsb.exe

C:\WINDOWS\system32\hbaaaaaa.exe

C:\FOUND.008

C:\WINDOWS\system32\bdod.bin

C:\WINDOWS\system32\spooIsv.exe

Retourne dans OTMoveit, fais un clique-droit dans la fenêtre "Paste List of Files/Folders to be moved" et choisis Coller.
Clique sur le bouton rouge Moveit!.
Ferme OTMoveIt.
Note : Si un fichier ou un dossier ne peut être déplacer immédiatement il te sera demander de redémarrer ta machine pour finir le processus. Si c'est le cas, choisis Yes.

14/ Si OTMoveIT a fait redémarrer ton PC en mode normal redémarre le une nouvelle fois en mode sans échec.

15/

En mode sans échec, fais un clic droit sur le fichier SDFix.zip et choisis extraire tout,
Ouvre le dossier SDFix qui vient d'être créé sur le Bureau et double clique sur RunThis.bat pour lancer le script.
Appuie sur Y pour commencer le script.
Il va supprimer les services de certains trojans, effectuera aussi quelques réparations du Registre et il te demandera d'appuyer sur une touche pour redémarrer.
Appuie sur une touche pour redémarrer le PC.
Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
Enfin, ouvre le dossier de SDFix sur ton Bureau et copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum, avec un nouveau log Hijackthis !

16/Poste le rapport d'AVG Anti spyware 7.5 ainsi que le rapport de fixwareout qui se trouve ici :

C:\fixwareout\report.txt .

Poste également le rapport de OTMoveIT disponible ici : C:\_OTMoveIt\MovedFiles, ainsi que le rapport smitfraudfix option 2.

17/ Relance Deckard's System Scanner puis poste le rapport.

Bon courage, et si tu as la moindre question n'hésite surtout pas

@+

Modifié le 31 mai 2007 par bruce lee

kini1 · le 31 mai 2007

Hello Bruce....

houla la j'ai un peu les jetons de faire tout ca..

je vais essayer et j'espere que je ferai pas de conneries

Je peut faire ca seulement la semaine prochaine car on à pas

les memes horaires avec mon pote...

je pense aller mercredi ou jeudi

en tout cas merci beaucoup et bonne

fin de semaine

Jacks

bruce lee · le 31 mai 2007

Re,

Son PC est bien infecté ! Dis lui d'évité de se connecter au net.

@ a la semaine prochaine

kini1 · le 1 juin 2007

Re,

Son PC est bien infecté ! Dis lui d'évité de se connecter au net.

@ a la semaine prochaine

Hello Bruce je suis aller chercher le pc chez mon pote!!

Alors le 1er Hijack il n'y avait pas de ligne 17

AVG impossible de faire la mise à jour

Et ajout suppression il n'y avait pas Security Tools

rapport AVG

---------------------------------------------------------

AVG Anti-Spyware - Rapport d'analyse

---------------------------------------------------------

+ Créé à: 17:27 2007-06-01

+ Résultat de l'analyse:

C:\Recycled\Dc24.tmp\v3.dll -> Adware.EliteBar : Nettoyé et sauvegardé (mise en quarantaine).

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S5EN0D27\v3cab[1].cab/v3.dll -> Adware.EliteBar : Nettoyé et sauvegardé (mise en quarantaine).

C:\Recycled\Dc26.tmp\MediaTicketsInstaller.INF -> Adware.MediaTickets : Nettoyé et sauvegardé (mise en quarantaine).

C:\Recycled\Dc375.tmp\UWA6PV_0001_N91M2107NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Nettoyé et sauvegardé (mise en quarantaine).

C:\Recycled\Dc376.tmp\UWAS6V_0001_N91M2208NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Nettoyé et sauvegardé (mise en quarantaine).

C:\WINDOWS\HKNTDLL.dll -> Not-A-Virus.Monitor.Win32.Hooker.e : Nettoyé et sauvegardé (mise en quarantaine).

C:\Documents and Settings\Perso\Cookies\perso@217.73.66[1].txt -> TrackingCookie.217.73.66.16 : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@247realmedia[1].txt -> TrackingCookie.247realmedia : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@247realmedia[2].txt -> TrackingCookie.247realmedia : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@2o7[2].txt -> TrackingCookie.2o7 : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@msnuk.122.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@redcats.122.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@swsoft.122.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@adbrite[2].txt -> TrackingCookie.Adbrite : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@adbrite[3].txt -> TrackingCookie.Adbrite : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ad.adition[3].txt -> TrackingCookie.Adition : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@www.adobe[1].txt -> TrackingCookie.Adobe : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@adtech[2].txt -> TrackingCookie.Adtech : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@advertising[1].txt -> TrackingCookie.Advertising : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@advertising[2].txt -> TrackingCookie.Advertising : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@bluestreak[2].txt -> TrackingCookie.Bluestreak : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@bluestreak[3].txt -> TrackingCookie.Bluestreak : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@iv2.bluestreak[1].txt -> TrackingCookie.Bluestreak : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@casalemedia[1].txt -> TrackingCookie.Casalemedia : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@casalemedia[2].txt -> TrackingCookie.Casalemedia : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@clickbank[1].txt -> TrackingCookie.Clickbank : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz3.clickzs[3].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz4.clickzs[1].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz6.clickzs[3].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cz8.clickzs[3].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter.cnw[1].txt -> TrackingCookie.Cnw : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@stat.dealtime[3].txt -> TrackingCookie.Dealtime : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@doubleclick[1].txt -> TrackingCookie.Doubleclick : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@doubleclick[2].txt -> TrackingCookie.Doubleclick : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@e-2dj6wfkiwlajmgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@estat[1].txt -> TrackingCookie.Estat : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@estat[2].txt -> TrackingCookie.Estat : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@www.etracker[1].txt -> TrackingCookie.Etracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@as-eu.falkag[3].txt -> TrackingCookie.Falkag : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@as1.falkag[2].txt -> TrackingCookie.Falkag : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@fastclick[2].txt -> TrackingCookie.Fastclick : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@fortunecity[1].txt -> TrackingCookie.Fortunecity : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@c.goclick[1].txt -> TrackingCookie.Goclick : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ehg-danier.hitbox[1].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ehg-darksideprod.hitbox[2].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ehg-darksideprod.hitbox[3].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ehg-legonewyorkinc.hitbox[2].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@hitbox[1].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@hitbox[2].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter2.hitslink[1].txt -> TrackingCookie.Hitslink : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@hotlog[2].txt -> TrackingCookie.Hotlog : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@searchportal.information[1].txt -> TrackingCookie.Information : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@searchportal.information[2].txt -> TrackingCookie.Information : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ivwbox[2].txt -> TrackingCookie.Ivwbox : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@komtrack[2].txt -> TrackingCookie.Komtrack : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@image.masterstats[1].txt -> TrackingCookie.Masterstats : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@mediaplex[1].txt -> TrackingCookie.Mediaplex : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@mediaplex[2].txt -> TrackingCookie.Mediaplex : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ssl-hints.netflame[3].txt -> TrackingCookie.Netflame : Nettoyé.

C:\Recycled\Dc248\perso@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@data2.perf.overture[2].txt -> TrackingCookie.Overture : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@data3.perf.overture[1].txt -> TrackingCookie.Overture : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@overture[1].txt -> TrackingCookie.Overture : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@overture[3].txt -> TrackingCookie.Overture : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@perf.overture[1].txt -> TrackingCookie.Overture : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@perf.overture[2].txt -> TrackingCookie.Overture : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@paycounter[1].txt -> TrackingCookie.Paycounter : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@www.paypal[1].txt -> TrackingCookie.Paypal : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ads.planetactive[2].txt -> TrackingCookie.Planetactive : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ads.planetactive[3].txt -> TrackingCookie.Planetactive : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ppms.popularix[2].txt -> TrackingCookie.Popularix : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@qksrv[2].txt -> TrackingCookie.Qksrv : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@questionmarket[2].txt -> TrackingCookie.Questionmarket : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@revenue[2].txt -> TrackingCookie.Revenue : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@revenue[3].txt -> TrackingCookie.Revenue : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@serving-sys[2].txt -> TrackingCookie.Serving-sys : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@sexlist[1].txt -> TrackingCookie.Sexlist : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@sexlist[2].txt -> TrackingCookie.Sexlist : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter1.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter10.sextracker[2].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter11.sextracker[2].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter12.sextracker[2].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter13.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter14.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter14.sextracker[2].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter15.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter16.sextracker[2].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter2.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter3.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter3.sextracker[2].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter4.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter5.sextracker[2].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter6.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter8.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@sextracker[2].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@sextracker[3].txt -> TrackingCookie.Sextracker : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@spylog[1].txt -> TrackingCookie.Spylog : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@statcounter[1].txt -> TrackingCookie.Statcounter : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@trafficcenter[1].txt -> TrackingCookie.Trafficcenter : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@web-stat[2].txt -> TrackingCookie.Web-stat : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@webstat[1].txt -> TrackingCookie.Web-stat : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@weborama[1].txt -> TrackingCookie.Weborama : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@weborama[2].txt -> TrackingCookie.Weborama : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@weborama[3].txt -> TrackingCookie.Weborama : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@m.webtrends[2].txt -> TrackingCookie.Webtrends : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@count.xhit[1].txt -> TrackingCookie.Xhit : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@count.xhit[3].txt -> TrackingCookie.Xhit : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@yadro[1].txt -> TrackingCookie.Yadro : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@yadro[3].txt -> TrackingCookie.Yadro : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Nettoyé.

C:\Documents and Settings\Perso\Cookies\perso@zedo[2].txt -> TrackingCookie.Zedo : Nettoyé.

C:\Recycled\Dc500.sys -> Trojan.Delf.zj : Nettoyé et sauvegardé (mise en quarantaine).

Fin du rapport

Rapport Fix

Fixwareout Last edited 5/15/2007

Post this report in the forums please

...

»»»»»Prerun check

»»»»»

»»»»» Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

»»»»» Misc files.

C:\WINDOWS\System32\kernel32.exe Deleted

....

»»»»» Checking for older varients.

....

Search five digit cs, dm, kd, jb, other, files.

The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

Click browse, find the file then click submit.

http://www.virustotal.com/flash/index_en.html

Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"CHotkey"="mHotkey.exe"

"Configuration Loader"="scvhost.exe"

"Spooler SubSystem App"="C:\\WINDOWS\\system32\\spooIsv.exe"

"BDMCon"="c:\\progra~1\\softwin\\bitdef~1\\bdmcon.exe"

"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""

"BDNewsAgent"="\"C:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""

"BDSwitchAgent"="\"C:\\progra~1\\softwin\\bitdef~1\\bdswitch.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

et Dekard

Deckard's System Scanner v20070426.43

Run by Perso on 2007-06-01 at 18:06:54

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- HijackThis (run as Perso.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 18:07, on 2007-06-01

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Softwin\BitDefender9\bdoesrv.exe

C:\progra~1\softwin\bitdef~1\bdnagent.exe

C:\progra~1\softwin\bitdef~1\bdswitch.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Softwin\BitDefender9\vsserv.exe

c:\progra~1\softwin\bitdef~1\bdmcon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Perso\Local Settings\Temporary Internet Files\Content.IE5\YF4HNNHR\dss[1].exe

C:\PROGRA~1\HIJACK~1\Perso.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [bDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe

O4 - HKLM\..\Run: [bDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"

O4 - HKLM\..\Run: [bDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized