[résolu] beaucoup d'alarmes avec avast et ad aware

[obelix 26]

je n'ai plus l'air d'avoir de pop up mais je continue à avoir plein de message de antivir!!

 

j'ai restoré le dernier Ccleaner et WMp à l'air de refonctionner correctement: à suivre

 

dois je m'inquieter pour toutes ces alertes antivir??

[Falkra]

Il te les retrouve régulièrement ?

 

C:\windows\system32\cpmf.exe is the trojan horse: TR\crypt.xpack.gen

C:\windows\system32\xoushgbg.exe is the trojan horse: TR\crypt.xpack.gen

[obelix 26]

assez régulièrement, mais là, ça fait un moment que je n'en ai plus

 

Cela peut il avoir un lien avec ad aware??? lorsque je l'ai fait tourner, j'ai eu une alerte antivir

 

C:\windows\temp\~F.tmp exe

Worm/Bobax.AG.1

 

j'ai valider le choix antivir à savoir Deny acces

 

lors de ces alletres, faut il valider le choix d'antivir ou mettre en quarantaine?

[Falkra]

Mettre en quarantaine.

 

 

On va voir (un peu long, mais bon) s'il y a autre chose, avec un autre moteur de scan :

 

• Fais un scan en ligne Kaspersky avec Internet Explorer :
  http://webscanner.kaspersky.fr/
   
  
• Clique sur
  
• Valide l'installation d'un ou de plusieurs ActiveX si c'est nécessaire.
  
• Patiente pendant l'installation des Mises à jour.
  
• Choisis par la suite l'analyse du Poste de travail
  
• Sauvegarde puis colle le rapport généré en fin d'analyse.
  

 

AIDE : Configurer le contrôle des ActiveX

 

NOTE : Si tu reçois le message "La licence de Kaspersky On-line Scanner est périmée", va dans Ajout/Suppression de programmes puis désinstalle On-Line Scanner, reconnecte toi sur le site de Kaspersky pour retenter le scan en ligne.

[obelix 26]

merci, je viens d'essayer.

Lors du scan en ligne, j'ai eu plein d'allertes antivir mon pc a re booter suite à la mise en quarantaine du message suivant: 30/06/2008,16:04:33 [WARNING] Is the Trojan horse TR/Crypt.PCMM.Gen!

C:\WINDOWS\system32\rghmal.exe

J'ai aussi eu des messages de mon parfeu kksnzo.exe tente d'acceder à internet. Faut il l'authoriser?? S'agit il de Kasperski?

 

j'ai toujours verrouillé l'accès à internet.

 

j'attends de tes nouvelles avant de recommencer car c'est un peu énervant quand ça plante au bout de presque 2 heures

 

en attendant, je te joins le log de Antivir

 

merci

 

 

28/06/2008,11:34:27 ---------------------------------------------------------

28/06/2008,11:34:34 Keyfile contains a valid license. The Avira AntiVir Personal – Free Antivirus will run as a fully functional version!

28/06/2008,11:34:34 AntiVir Guard version: 8.00.01.15,engine version 8.1.0.28,VDF version: 7.0.3.68

28/06/2008,11:34:36 AntiVir Guard was enabled.

28/06/2008,11:34:36 Avira AntiVir Personal – Free Antivirus has been started successfully!

28/06/2008,11:34:36 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Only scan files with one of the following extensions: . .386 .?HT* .ACM .ADE .ADP .ANI .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CRT .CSH .DLL .DLO .DO? .DRV .EMF .EML .EXE* .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SIS .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .ZIP

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

28/06/2008,11:36:03 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Only scan files with one of the following extensions: . .386 .?HT* .ACM .ADE .ADP .ANI .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CRT .CSH .DLL .DLO .DO? .DRV .EMF .EML .EXE* .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SIS .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .ZIP

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

28/06/2008,11:36:29 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

28/06/2008,11:40:15 [WARNING] Is the Trojan horse TR/Crypt.PCMM.Gen!

C:\WINDOWS\system32\oxliehfp.exe

[iNFO] No right to access the file.

28/06/2008,11:40:47 [WARNING] Is the Trojan horse TR/Crypt.PCMM.Gen!

C:\WINDOWS\System32\spoolsvc.exe

[iNFO] No right to access the file.

28/06/2008,11:39:48 [WARNING] Is the Trojan horse TR/Crypt.PCMM.Gen!

C:\WINDOWS\system32\oxliehfp.exe

[iNFO] No right to access the file.

28/06/2008,11:41:44 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\Documents and Settings\christian\Mes documents\jcywy.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

28/06/2008,11:45:21 Avira AntiVir Personal – Free Antivirus service has been stopped!

28/06/2008,11:45:34 ---------------------------------------------------------

28/06/2008,11:45:39 Keyfile contains a valid license. The Avira AntiVir Personal – Free Antivirus will run as a fully functional version!

28/06/2008,11:45:39 AntiVir Guard version: 8.00.01.15,engine version 8.1.0.59,VDF version: 7.0.5.17

28/06/2008,11:45:41 AntiVir Guard was enabled.

28/06/2008,11:45:41 Avira AntiVir Personal – Free Antivirus has been started successfully!

28/06/2008,11:45:41 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

28/06/2008,11:45:47 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

28/06/2008,14:02:53 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

28/06/2008,14:41:02 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\System Volume Information\_restore{0A8AC375-C828-4F19-860B-09FBEB517D9A}\RP3\A0001696.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

28/06/2008,14:41:09 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\System Volume Information\_restore{0A8AC375-C828-4F19-860B-09FBEB517D9A}\RP3\A0001698.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

28/06/2008,14:46:05 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

28/06/2008,14:59:05 Avira AntiVir Personal – Free Antivirus service has been stopped!

28/06/2008,18:49:09 ---------------------------------------------------------

28/06/2008,18:49:21 Keyfile contains a valid license. The Avira AntiVir Personal – Free Antivirus will run as a fully functional version!

28/06/2008,18:49:21 AntiVir Guard version: 8.00.01.15,engine version 8.1.0.59,VDF version: 7.0.5.17

28/06/2008,18:49:23 AntiVir Guard was enabled.

28/06/2008,18:49:23 Avira AntiVir Personal – Free Antivirus has been started successfully!

28/06/2008,18:49:23 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

28/06/2008,19:39:08 Avira AntiVir Personal – Free Antivirus service has been stopped!

29/06/2008,15:16:02 ---------------------------------------------------------

29/06/2008,15:16:09 Keyfile contains a valid license. The Avira AntiVir Personal – Free Antivirus will run as a fully functional version!

29/06/2008,15:16:09 AntiVir Guard version: 8.00.01.15,engine version 8.1.0.59,VDF version: 7.0.5.17

29/06/2008,15:16:10 AntiVir Guard was enabled.

29/06/2008,15:16:10 Avira AntiVir Personal – Free Antivirus has been started successfully!

29/06/2008,15:16:10 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

29/06/2008,15:21:39 Avira AntiVir Personal – Free Antivirus service has been stopped!

29/06/2008,15:21:42 ---------------------------------------------------------

29/06/2008,15:21:44 Keyfile contains a valid license. The Avira AntiVir Personal – Free Antivirus will run as a fully functional version!

29/06/2008,15:21:44 AntiVir Guard version: 8.00.01.18,engine version 8.1.0.59,VDF version: 7.0.5.18

29/06/2008,15:21:46 AntiVir Guard was enabled.

29/06/2008,15:21:46 Avira AntiVir Personal – Free Antivirus has been started successfully!

29/06/2008,15:21:46 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

29/06/2008,15:21:46 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

29/06/2008,16:49:54 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\WINDOWS\system32\bhtg.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

29/06/2008,17:01:34 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\WINDOWS\system32\cpmf.exe

[ERROR] Unable to copied the file to the quarantine directory:

[iNFO] No right to access the file.

29/06/2008,17:23:01 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\WINDOWS\system32\xoushgbg.exe

[iNFO] No right to access the file.

29/06/2008,17:31:16 [WARNING] Contains detection pattern of the worm WORM/Bobax.AL!

C:\WINDOWS\TEMP\~DF10.tmp

[iNFO] No right to access the file.

29/06/2008,17:31:27 [WARNING] Contains detection pattern of the worm WORM/Bobax.AG.1!

C:\WINDOWS\TEMP\~F.tmp.exe

[iNFO] No right to access the file.

29/06/2008,17:30:46 [WARNING] Contains detection pattern of the worm WORM/Bobax.AG.1!

C:\WINDOWS\system32\vmwgfuqh.exe

[iNFO] No right to access the file.

29/06/2008,17:54:50 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\windows\system32\logon.exe

[iNFO] No right to access the file.

29/06/2008,18:08:08 [WARNING] Contains detection pattern of the worm WORM/Bobax.AG.1!

C:\WINDOWS\system32\vmwgfuqh.exe

[iNFO] No right to access the file.

29/06/2008,18:26:49 [WARNING] Contains detection pattern of the worm WORM/Bobax.AG.1!

C:\WINDOWS\TEMP\~F.tmp.exe

[iNFO] No right to access the file.

29/06/2008,18:27:27 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\WINDOWS\system32\xoushgbg.exe

[iNFO] No right to access the file.

29/06/2008,19:38:01 [WARNING] Contains detection pattern of the worm WORM/Bobax.AG.1!

C:\WINDOWS\TEMP\~F.tmp.exe

[iNFO] No right to access the file.

29/06/2008,20:06:31 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\System Volume Information\_restore{0A8AC375-C828-4F19-860B-09FBEB517D9A}\RP4\A0001881.exe

[iNFO] No right to access the file.

29/06/2008,20:20:07 Avira AntiVir Personal – Free Antivirus service has been stopped!

30/06/2008,13:54:50 ---------------------------------------------------------

30/06/2008,13:54:55 Keyfile contains a valid license. The Avira AntiVir Personal – Free Antivirus will run as a fully functional version!

30/06/2008,13:54:55 AntiVir Guard version: 8.00.01.18,engine version 8.1.0.59,VDF version: 7.0.5.18

30/06/2008,13:54:56 AntiVir Guard was enabled.

30/06/2008,13:54:57 Avira AntiVir Personal – Free Antivirus has been started successfully!

30/06/2008,13:54:57 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

30/06/2008,14:00:18 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\nhwbv.exe

[iNFO] No right to access the file.

30/06/2008,14:04:28 Update process started!

30/06/2008,14:04:31 Current Engine Version: 8.1.0.59

30/06/2008,14:04:31 Current Pattern File: 7.0.5.23

30/06/2008,14:04:31 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

30/06/2008,14:18:05 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\gvpoxcs.exe

[iNFO] No right to access the file.

30/06/2008,14:27:05 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\kksnzo.exe

[iNFO] No right to access the file.

30/06/2008,14:28:32 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\SYSTEM32\KKSNZO.EXE

[iNFO] No right to access the file.

30/06/2008,14:36:06 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\mjfsu.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,14:45:02 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\jddzviy.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:05:28 [ERROR] Unable to delete the file:

C:\WINDOWS\system32\jddzviy.exe

Error description: 0x00000005 - Accès refusé.

30/06/2008,15:02:18 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\blgpgc.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,14:53:50 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\sdhuw.exe

[iNFO] No right to access the file.

30/06/2008,15:12:04 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\System Volume Information\_restore{0A8AC375-C828-4F19-860B-09FBEB517D9A}\RP4\A0001881.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:12:11 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!

C:\System Volume Information\_restore{0A8AC375-C828-4F19-860B-09FBEB517D9A}\RP4\A0001882.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:21:02 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\vtpwhq.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:21:49 Update process started!

30/06/2008,15:21:57 Current Engine Version: 8.1.0.59

30/06/2008,15:21:57 Current Pattern File: 7.0.5.25

30/06/2008,15:21:58 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

30/06/2008,15:32:54 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\jddzviy.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:33:32 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\kksnzo.exe

[iNFO] No right to access the file.

30/06/2008,15:34:50 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\sdhuw.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:35:33 [WARNING] Contains detection pattern of the worm WORM/Bobax.AG.1!

C:\WINDOWS\system32\vmwgfuqh.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:36:06 [WARNING] Contains detection pattern of the worm WORM/Bobax.AG.1!

C:\WINDOWS\TEMP\~F.tmp.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:38:31 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\qfvef.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:47:08 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\bddfwbwp.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:55:54 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\lvaqg.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,15:56:36 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

30/06/2008,16:04:33 [WARNING] Is the Trojan horse TR/Crypt.PCMM.Gen!

C:\WINDOWS\system32\rghmal.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

30/06/2008,16:06:11 Avira AntiVir Personal – Free Antivirus service has been stopped!

30/06/2008,16:07:09 ---------------------------------------------------------

30/06/2008,16:07:14 Keyfile contains a valid license. The Avira AntiVir Personal – Free Antivirus will run as a fully functional version!

30/06/2008,16:07:14 AntiVir Guard version: 8.00.01.18,engine version 8.1.0.59,VDF version: 7.0.5.25

30/06/2008,16:07:16 AntiVir Guard was enabled.

30/06/2008,16:07:16 Avira AntiVir Personal – Free Antivirus has been started successfully!

30/06/2008,16:07:16 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Device mode: scan files on open, scan files on close

- Scan files with all extensions

- Unpack runtime compressed files

- Actions: ask the user

- Heuristic: MACRO , WIN32 MEDIUM

- Logfile report level 1

30/06/2008,16:13:29 [WARNING] Contains detection pattern of the Windows virus W32/Virut.AX!

C:\WINDOWS\system32\sifuhni.exe

[iNFO] The file will be copied to quarantine.

[iNFO] The file will be deleted.

[Falkra]

Tu as un virus qui détruit peu à peu les programmes.

 

On va tenter une récupération, mais il faudra peut-être reformater.

Dans l'intervalle, sauvegarde tes données personnelles pendant que c'est possible.

[obelix 26]

Je pense avoir sauvegarder sur la 2° partition du DD (D) les dossiers "mes documents" de chaque utilisateur.

[Falkra]

Crée un nouveau dossier sur ton Bureau (Clic-droit > Nouveau > Dossier)

• Télécharge les 2 fichiers dans ce dossier, et pas ailleurs:

http://download.grisoft.cz/filedir/util/av...up.dir/rmvirut/

(le .exe et le .nt)

 

• Exécute rmvirut.exe, et laisse le faire.

Poste le rapport sur un forum d'entraide si tu le peux, sinon tu feras:

 

• File > Save log > Enregistre le sur le Bureau, pour mieux le retrouver.

• Il se nommera VirusRemover.log

[obelix 26]

bonjour,

 

j'ai fait un scan avec rmvirut qui " à prioris" n'a rien trouvé mais il y a des fichiers qu'il n'a pas pu ouvrir.

lorsque j'ai voulu revenir pour donner le résultat, je ne pouvait plus acceder en tant que connecté dès que je voulais venir sur ce post.

Je suis aller voir sur clubic où j'ai trouvé Combofix que j'ai lancé en mode sans echec (car sinon reboot du Pc) qui m'a supprimé 11 fichiers dans system32. Voici son log

 

ComboFix 08-06-30.2 - christian 2008-07-01 21:10:39.2 - NTFSx86 MINIMAL

Endroit: C:\Documents and Settings\christian\Bureau\ComboFix.exe

 

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\ass.exe

C:\WINDOWS\system32\wbt.exe

C:\WINDOWS\system32\wmsoft04822.exe

C:\WINDOWS\system32\wmsoft14323.exe

C:\WINDOWS\system32\wmsoft21705.exe

C:\WINDOWS\system32\wmsoft27153.exe

C:\WINDOWS\system32\wmsoft36806.exe

C:\WINDOWS\system32\wmsoft52245.exe

C:\WINDOWS\system32\wmsoft53374.exe

C:\WINDOWS\system32\wmsoft71863.exe

C:\WINDOWS\system32\wmsoft76554.exe

C:\WINDOWS\system32\wmsoft78134.exe

 

.

((((((((((((((((((((((((((((( Fichiers créés 2008-06-01 to 2008-07-01 ))))))))))))))))))))))))))))))))))))

.

 

2008-07-01 20:58 . 2008-07-01 20:58 63,488 --ah----- C:\WINDOWS\system32\ipftaa.exe

2008-07-01 20:58 . 2008-07-01 20:58 124 --a------ C:\WINDOWS\system32\ooimhqba.bat

2008-06-30 15:02 . 2008-06-30 15:02 123 --a------ C:\WINDOWS\system32\athljxa.bat

2008-06-30 14:54 . 2008-06-30 14:54 118 --a------ C:\WINDOWS\system32\bmpek.bat

2008-06-30 14:46 . 2008-06-30 14:46 125 --a------ C:\WINDOWS\system32\wxyjju.bat

2008-06-30 14:01 . 2008-06-30 14:01 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-06-29 17:31 . 2008-06-29 17:31 126 --a------ C:\WINDOWS\system32\gina.bat

2008-06-29 17:23 . 2008-06-29 17:23 128 --a------ C:\WINDOWS\system32\xhzihf.bat

2008-06-28 14:40 . 2008-06-28 14:40 66 --a------ C:\WINDOWS\system32\wbt.inf

2008-06-28 14:27 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys

2008-06-28 14:27 . 2002-08-29 02:01 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys

2008-06-28 14:27 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys

2008-06-28 14:27 . 2002-08-29 01:32 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys

2008-06-28 14:13 . 2008-06-28 14:13 0 -ra------ C:\WINDOWS\system32\TFTP3912

2008-06-28 11:40 . 2008-06-28 11:40 129 --a------ C:\WINDOWS\system32\yimrxzy.bat

2008-06-28 11:29 . 2008-06-28 11:29 <REP> d-------- C:\Program Files\Avira

2008-06-28 11:29 . 2008-06-28 11:29 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-06-27 21:44 . 2008-06-27 21:44 123 --a------ C:\WINDOWS\system32\nhfx.bat

2008-06-27 21:35 . 2008-06-27 21:35 125 --a------ C:\WINDOWS\system32\vpftrn.bat

2008-06-27 21:25 . 2008-06-27 21:25 127 --a------ C:\WINDOWS\system32\hkeawdui.bat

2008-06-27 21:15 . 2008-06-27 21:15 120 --a------ C:\WINDOWS\system32\apug.bat

2008-06-27 20:27 . 2004-08-03 14:02 169,240 --a------ C:\WINDOWS\system32\wuaucpl.cpl

2008-06-27 20:25 . 2008-06-27 21:04 <REP> d-------- C:\WINDOWS\BDOSCAN8

2008-06-27 20:19 . 2008-07-01 21:00 80 --a------ C:\WINDOWS\system32\i

2008-06-27 20:13 . 2008-06-30 14:01 <REP> d-------- C:\WINDOWS\LastGood

2008-06-27 20:00 . 2008-06-27 20:00 <REP> d-------- C:\WINDOWS\LastGood.Tmp

2008-06-27 18:36 . 2002-08-30 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-06-27 18:35 . 2001-08-23 17:47 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll

2008-06-27 18:33 . 2008-06-27 18:33 749 -rah----- C:\WINDOWS\WindowsShell.Manifest

2008-06-27 18:33 . 2008-06-27 18:33 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2008-06-27 18:33 . 2008-06-27 18:33 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2008-06-27 18:33 . 2008-06-27 18:33 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2008-06-27 18:33 . 2008-06-27 18:33 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2008-06-27 18:31 . 2002-08-30 14:00 1,172,992 --a--c--- C:\WINDOWS\system32\dllcache\comsvcs.dll

2008-06-27 18:22 . 2002-08-30 14:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll

2008-06-27 18:22 . 2002-08-30 14:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll

2008-06-27 18:22 . 2002-08-30 14:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll

2008-06-27 18:22 . 2002-08-30 14:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll

2008-06-25 11:11 . 2008-06-27 15:34 2,395 --a------ C:\WINDOWS\setupapi.old

2008-06-25 00:11 . 2008-06-25 00:11 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard

2008-06-24 23:30 . 2008-06-24 23:51 <REP> d-------- C:\Program Files\Trojan Remover

2008-06-23 19:03 . 2008-06-24 23:52 <REP> d-------- C:\Program Files\Fichiers communs\Seagate

2008-06-07 17:17 . 2008-06-07 17:17 <REP> d--h----- C:\WINDOWS\PIF

2008-06-07 17:13 . 2008-06-07 17:13 1,680 --a------ C:\WINDOWS\system32\esnecil.nlp

2008-06-07 17:13 . 2008-06-08 10:12 1,680 --a------ C:\WINDOWS\system32\esnecil.ind

2008-06-07 17:13 . 2008-06-07 17:13 4 --a------ C:\WINDOWS\vx86036.dat

2008-06-07 17:12 . 2008-06-17 23:46 <REP> d-------- C:\Program Files\Stellar Phoenix Windows Data Recovery

2008-06-07 17:12 . 1999-06-18 23:49 165,888 --a------ C:\WINDOWS\Ckconfig.exe

2008-06-07 17:12 . 2006-03-01 03:10 69,632 --a------ C:\WINDOWS\system32\Crypserv.exe

2008-06-07 17:12 . 2006-01-10 04:47 31,846 --a------ C:\WINDOWS\system32\Ckldrv.sys

2008-06-07 17:12 . 1996-05-03 19:21 27,648 -ra------ C:\WINDOWS\Setup_ck.exe

2008-06-07 17:12 . 1996-05-03 17:36 18,432 --a------ C:\WINDOWS\Setup_ck.dll

2008-06-07 17:12 . 1995-07-04 20:33 11,776 --a------ C:\WINDOWS\Ckrfresh.exe

2008-06-07 17:12 . 2008-06-07 17:12 71 --a------ C:\WINDOWS\Crypkey.ini

2008-06-07 15:22 . 2003-07-06 13:43 <REP> d--h----- C:\Documents and Settings\Administrateur\Voisinage réseau

2008-06-07 15:22 . 2003-07-06 13:43 <REP> d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression

2008-06-07 15:22 . 2003-07-06 15:25 <REP> d---s---- C:\Documents and Settings\Administrateur\UserData

2008-06-07 15:22 . 2006-03-05 11:42 <REP> d--h----- C:\Documents and Settings\Administrateur\Modèles

2008-06-07 15:22 . 2005-01-30 19:14 <REP> dr------- C:\Documents and Settings\Administrateur\Mes documents

2008-06-07 15:22 . 2003-07-06 13:43 <REP> dr------- C:\Documents and Settings\Administrateur\Menu Démarrer

2008-06-07 15:22 . 2003-07-14 12:06 <REP> dr------- C:\Documents and Settings\Administrateur\Favoris

2008-06-07 15:22 . 2008-06-10 19:44 <REP> d-------- C:\Documents and Settings\Administrateur\Bureau

2008-06-07 15:22 . 2003-07-06 13:51 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\InterTrust

2008-06-07 15:22 . 2003-07-06 15:03 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\CyberLink

2008-06-07 15:22 . 2008-06-07 15:22 <REP> d-------- C:\Documents and Settings\Administrateur

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-28 09:29 3,917,312 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp

2008-06-28 09:29 133,120 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp

2008-06-27 17:07 424,960 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp

2008-06-24 21:51 --------- d-----w C:\Program Files\Lavasoft

2008-06-20 15:09 481,792 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp

2008-06-20 15:09 3,874,304 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp

2008-06-17 21:23 2,980,352 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp

2008-06-17 21:12 20,885,785 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2008-06-04 16:03 --------- d-----w C:\Program Files\MP3 Player Utilities 3.75

2008-05-29 15:54 3,836,416 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp

2008-05-28 20:00 --------- d-----w C:\Program Files\C-Media

2008-05-28 19:23 3,820,032 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp

2008-05-28 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles

2008-05-28 11:13 --------- d-----w C:\Documents and Settings\christian\Application Data\Zylom

2008-05-28 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom

2008-05-25 17:07 3,790,848 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp

2008-05-25 17:07 3,228,160 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp

2008-05-25 17:04 3,790,848 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp

2008-05-25 16:53 --------- d-----w C:\Program Files\UbiSoft

2008-05-19 13:29 --------- d-----w C:\Documents and Settings\christian\Application Data\gtk-2.0

2008-05-10 16:14 --------- d-----w C:\Program Files\TomTom HOME

2008-05-10 16:13 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-10 16:12 --------- d-----w C:\Documents and Settings\christian\Application Data\InstallShield

2008-05-10 15:43 --------- d-----w C:\Documents and Settings\christian\Application Data\TomTom

2008-05-08 13:56 3,708,416 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp

2008-05-02 19:55 --------- d-----w C:\Program Files\PDFCreator

2008-05-01 19:13 --------- d-----w C:\Program Files\GIMP-2.0

2008-04-25 19:36 3,493,888 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp

2008-04-19 06:16 3,398,144 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp

2008-03-09 15:51 64,120 ----a-w C:\Documents and Settings\christian\Application Data\GDIPFONTCACHEV1.DAT

2007-11-16 07:07 60,232 ----a-w C:\Documents and Settings\brigitte\Application Data\GDIPFONTCACHEV1.DAT

2007-11-13 16:30 60,232 ----a-w C:\Documents and Settings\marie\Application Data\GDIPFONTCACHEV1.DAT

2007-02-10 10:30 87,608 ----a-w C:\Documents and Settings\christian\Application Data\ezpinst.exe

2007-02-10 10:30 47,360 ----a-w C:\Documents and Settings\christian\Application Data\pcouffin.sys

2001-11-23 10:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

2006-03-31 16:51 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

 

------- Sigcheck -------

 

2003-06-30 17:35 29952 eddca9c72f1e7f2e2e2ab6ad7106c4a5 C:\WINDOWS\system32\drivers\ip6fw.sys

.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

"SetDefPrt"="C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe" [2002-12-18 15:31 40960]

"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-07-08 11:10 45108]

"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 10:50 204800]

"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-07-08 11:41 36864]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-27 20:42 98304]

"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-12-13 20:27 919016]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 16:19 4640768]

"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2003-05-02 16:19 49152]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

"nwiz"="nwiz.exe" [2003-05-02 16:19 323584 C:\WINDOWS\system32\nwiz.exe]

"Dit"="Dit.exe" [2002-08-28 13:43 73728 C:\WINDOWS\Dit.exe]

"AdslTaskBar"="stmctrl.dll" [2005-02-11 10:38 167936 C:\WINDOWS\system32\stmctrl.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-30 14:00 13312]

 

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\

BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-07-29 16:14:16 499773]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-06 17:07:12 1572864]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

"vidc.xvid"= xvid.dll

 

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]

R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]

R3 usbstor;Pilote de stockage de masse USB;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-30 14:00]

S3 AntiAries;Anti Aries Helper Driver;C:\WINDOWS\System32\drivers\RKLB.tmp.sys [2007-02-16 14:42]

S3 brfilt;Pilote de filtre Brother MFC;C:\WINDOWS\System32\Drivers\Brfilt.sys [2001-08-17 22:12]

S3 BrSerWDM;Pilote série Brother;C:\WINDOWS\System32\Drivers\BrSerWdm.sys [2001-08-17 22:12]

S3 BrUsbMdm;Brother MFC USB modem télécopieur uniquement;C:\WINDOWS\System32\Drivers\BrUsbMdm.sys [2001-08-17 22:12]

S3 BrUsbScn;Pilote de scanneur Brother MFC USB;C:\WINDOWS\System32\Drivers\BrUsbScn.sys [2001-08-17 22:12]

S3 Fadpu16E;Fadpu16E;C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Fadpu16E.sys []

S3 Ip6FwHlp;Pare-feu de connexion Internet IPv6;C:\WINDOWS\System32\svchost.exe [2002-08-30 14:00]

S3 PALLADIA;Palladia 300/400 Usb Adsl Modem;C:\WINDOWS\System32\DRIVERS\usbiad.sys [2004-07-14 03:52]

S3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys [2004-11-16 16:48]

S3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys [2005-04-19 15:54]

S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 02:48]

 

*Newly Created Service* - NVCAP

*Newly Created Service* - NVXBAR

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-Cmaudio - cmicnfg.cpl,CMICtrlWnd

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-01 21:13:36

Windows 5.1.2600 Service Pack 1 NTFS

 

Balayage processus cachés ...

 

Balayage caché autostart entries ...

 

Balayage des fichiers cachés ...

 

Scan terminé avec succès

Les fichiers cachés: 0

 

**************************************************************************

.

Temps d'accomplissement: 2008-07-01 21:15:08

ComboFix-quarantined-files.txt 2008-07-01 19:14:54

 

Pre-Run: 30,202,646,528 octets libres

Post-Run: 30,240,288,768 octets libres

 

194 --- E O F --- 2008-06-17 21:36:59

 

 

 

je ne vai pas surcharger ce message avec le log de rmvirut.

 

connais tu Vundofix? je l'ai aussi trouvé sur clubic mais lorsque je le lance depuis le bureau, j'ai un message d'erreur:"Vundofix.exe n'est pas une application Win32 valide"

 

merci

[obelix 26]

 

 

 

Modifié le 1 juillet 2008 par obelix 26