rapport ou log du HiJackThis

[sooprano]

salut mon probleme c'est que je me suis infecté par virus qui m'ont desactivé mon gestionnaires des taches malgré que je suis administrateur de mon poste ainsi ca me rend mon poste tres lourd alors j'ai entendu parlé du HiJackThis est j'ai fais ce rapport svp aider moi a neutralisé ces virus

 

rappoirt HiJackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:41:48, on 27/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\RALINK\Common\RaUI.exe

C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe

C:\WINDOWS\system32\sistray.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\winpggmj.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\deep imagination\Bureau\rav\rav.exe

C:\Documents and Settings\deep imagination\Bureau\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.files-ftp.com/~unicorni/phpBB2/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [siSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Startup: Anti-Autorun-inf.lnk = C:\Program Files\Prg Chris\Anti-Autorun.inf\Anti-Autorun.inf.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O4 - Global Startup: SMCWUSB-G 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

--

End of file - 4410 bytes

[angelique]

c'est quoi ce programme ?? C:\Program Files\Prg Chris\Anti-Autorun.inf\Anti-Autorun.inf.exe

 

 

• relance hijackthis " do a system scan only" , coche uniquement les lignes ci dessous et clic Fixchecked:

 

 

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

 

==> clic Fixchecked

 

• Télécharge OTMoveIt3 de OldTimer

http://oldtimer.geekstogo.com/OTMoveIt3.exe

 

* Enregistre-le sur ton bureau

* Double-clique sur OTMoveIt3.exe pour le lancer (l'extension peut ne pas apparaître)

* Copie-colle l'entièreté de ceci ci dessous dans la partie "Paste Instructions for Items to be Moved" (en-dessous de la barre jaune) :

 

:processes
explorer.exe

:files
C:\WINDOWS\system32\olhrwef.exe

:commands
[emptytemp]

 

 

 

* Clique sur le bouton rouge Moveit! pour lancer le nettoyage, accepte le redemarrage

* Copie-colle dans ta prochaine réponse le contenu du rapport qui s'affiche au redemarrage

--> Un rapport sera généré dans le dossier C:\ _OTMoveIt\MovedFiles avec la date et l'heure du passage de l'outil (mmddyyyy_hhmmss.log)

 

• reposte un nouveau rapport HijackThis

[sooprano]

anti autorun est un logiciel qui elimine autorun

 

bon voila rapport du OtMovit

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== FILES ==========

C:\WINDOWS\system32\olhrwef.exe moved successfully.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\dyari.exe scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\etilqs_ORAccvSOmK1EofrUTCYQ scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\~DFA6BC.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

File delete failed. C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\XUL.mfl scheduled to be deleted on reboot.

FireFox cache emptied.

Temp folders emptied.

 

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01272009_154657

 

Files moved on Reboot...

C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\dyari.exe moved successfully.

File C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\etilqs_ORAccvSOmK1EofrUTCYQ not found!

C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\~DFA6BC.tmp moved successfully.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\Cache\_CACHE_001_ moved successfully.

C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\Cache\_CACHE_002_ moved successfully.

C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\Cache\_CACHE_003_ moved successfully.

C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\Cache\_CACHE_MAP_ moved successfully.

C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\urlclassifier3.sqlite moved successfully.

C:\Documents and Settings\deep imagination\Local Settings\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\XUL.mfl moved successfully.

 

Rapport HiJackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:54:07, on 27/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\RALINK\Common\RaUI.exe

C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\Prg Chris\Anti-Autorun.inf\Anti-Autorun.inf.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\winyxyupi.exe

C:\Documents and Settings\deep imagination\Bureau\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.files-ftp.com/~unicorni/phpBB2/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [siSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Startup: Anti-Autorun-inf.lnk = C:\Program Files\Prg Chris\Anti-Autorun.inf\Anti-Autorun.inf.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O4 - Global Startup: SMCWUSB-G 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

--

End of file - 4706 bytes

[angelique]

anti autorun est un logiciel qui elimine autorun

 

Mouai si tu le dis !!! , xp pro ou xp Home ton os ?? on va le voir toute façon

 

• desactive temporairement tes solution de securité antivirus ainsi que le resident du teaTimer de spybot

 

Pour désactiver TeaTimer :

 

Afficher d'abord le Mode Avancé dans SpyBot

 

Options Avancées :

- menu Mode, Mode Avancé.

 

Une colonne de menus apparaît dans la partie gauche :

 

- cliquer sur Outils,

- cliquer sur Résident,

Dans Résident :

- décocher Résident "TeaTimer" pour le désactiver.

 

Télécharge combofix.exe (par sUBs) et sauvegarde le sur ton bureau , pas ailleurs!!!!!!!!!!!!!!

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

 

* Double-clique combofix.exe, accepte le CluF qui s'affiche, afin de l'exécuter et suis les instructions.

* Lorsque l'analyse sera complétée, un rapport apparaîtra que tu me posteras.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

[sooprano]

ok voila le rapport de mon ComboFix

 

ComboFix 09-01-21.04 - deep imagination 2009-01-27 17:23:17.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.990.649 [GMT 1:00]

Lancé depuis: c:\documents and settings\deep imagination\Bureau\ComboFix.exe

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

* Un nouveau point de restauration a été créé

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\InstFunc.dll

 

.

((((((((((((((((((((((((((((( Fichiers créés du 2008-12-27 au 2009-01-27 ))))))))))))))))))))))))))))))))))))

.

 

2009-01-27 15:46 . 2009-01-27 15:46 <REP> d-------- C:\_OTMoveIt

2009-01-27 15:33 . 2009-01-27 15:33 <REP> d-------- c:\program files\Fichiers communs\Adobe

2009-01-27 14:37 . 2008-11-06 02:03 <REP> d-------- C:\SDFix

2009-01-27 14:23 . 2009-01-27 14:23 95,744 -r-hs---- c:\windows\system32\nmdfgds1.dll

2009-01-27 14:22 . 2009-01-22 15:14 181,248 -r-hs---- C:\w98.com

2009-01-27 13:51 . 2009-01-27 13:51 <REP> d-------- c:\program files\Spybot - Search & Destroy

2009-01-27 13:51 . 2009-01-27 14:06 <REP> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-27 13:11 . 2009-01-27 13:11 <REP> d-------- c:\program files\Prg Chris

2009-01-27 13:03 . 2009-01-27 13:03 <REP> d--h----- c:\windows\system32\GroupPolicy

2009-01-26 17:52 . 2009-01-27 14:22 95,744 --------- c:\windows\system32\nmdfgds0.dll

2009-01-26 17:51 . 2009-01-26 18:37 <REP> dr-h----- C:\$VAULT$.AVG

2009-01-26 14:47 . 2009-01-26 14:47 <REP> d-------- c:\program files\EasyPHP1-8

2009-01-26 13:56 . 2009-01-27 14:22 <REP> d-------- c:\program files\ESET

2009-01-26 12:55 . 2009-01-26 12:55 <REP> d-------- c:\documents and settings\All Users\Application Data\ESET

2009-01-23 17:53 . 2009-01-23 17:53 0 --a------ c:\windows\nsreg.dat

2009-01-22 10:46 . 2005-05-17 15:24 311,296 --a------ c:\windows\system32\AegisI5.exe

2009-01-22 10:46 . 2006-01-18 09:08 290,918 --a------ c:\windows\system32\Install7x.dll

2009-01-22 10:46 . 2006-01-12 19:46 252,928 --a------ c:\windows\system32\drivers\rt73.sys

2009-01-22 10:46 . 2005-10-17 19:50 245,376 --a------ c:\windows\system32\drivers\rt2500usb.SYS

2009-01-22 10:46 . 2009-01-22 10:46 20,747 --a------ c:\windows\system32\drivers\AegisP.sys

2009-01-22 10:46 . 2005-11-30 11:33 2,048 --a------ c:\windows\system32\drivers\rt73.bin

2009-01-22 10:46 . 2005-08-19 15:51 138 --a------ c:\windows\filespec7x

2009-01-22 10:45 . 2009-01-22 10:45 <REP> d-------- c:\program files\RALINK

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-27 14:57 --------- d-----w c:\documents and settings\deep imagination\Application Data\AVG7

2009-01-22 09:45 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-20 11:07 --------- d-----w c:\documents and settings\All Users\Application Data\avg7

2009-01-19 12:49 --------- d-----w c:\program files\SMC

2009-01-19 12:49 --------- d-----w c:\program files\Fichiers communs\InstallShield

2009-01-19 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-01-19 12:45 --------- d-----w c:\program files\MSBuild

2009-01-19 12:45 --------- d-----w c:\program files\Microsoft Works

2009-01-19 12:14 --------- d-----w c:\program files\Analog Devices

2009-01-19 12:07 --------- d-----w c:\program files\sisagp

2009-01-19 12:07 --------- d-----w c:\program files\SiS VGA Utilities V3.67e

2009-01-19 11:54 --------- d-----w c:\program files\Silicon Integrated Systems

2009-01-19 11:51 499,712 ----a-w c:\windows\system32\msvcp71.dll

2009-01-19 11:51 348,160 ----a-w c:\windows\system32\msvcr71.dll

2009-01-19 11:51 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7

2009-01-19 11:51 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft

2009-01-19 11:49 --------- d-----w c:\program files\WinZip Self-Extractor

2009-01-19 11:34 --------- d-----w c:\program files\microsoft frontpage

2009-01-19 11:33 --------- d-----w c:\program files\Services en ligne

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSRaid"="c:\program files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-03-01 970752]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-01-19 590848]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-03 160768]

"SiSPower"="SiSPower.dll" [2005-05-26 c:\windows\system32\SiSPower.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2009-01-19 301056]

 

c:\documents and settings\deep imagination\Menu D‚marrer\Programmes\D‚marrage\

Anti-Autorun-inf.lnk - c:\program files\Prg Chris\Anti-Autorun.inf\Anti-Autorun.inf.exe [2009-01-27 251904]

 

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\

Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-01-22 589824]

SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-01-18 524288]

Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-01-19 266240]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

[HKLM\~\startupfolder\C:^Documents and Settings^deep imagination^Menu Démarrer^Programmes^Démarrage^Anti-Autorun-inf.lnk]

path=c:\documents and settings\deep imagination\Menu Démarrer\Programmes\Démarrage\Anti-Autorun-inf.lnk

backup=c:\windows\pss\Anti-Autorun-inf.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\SMC\\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\\SMCWGUTI.exe"=

"c:\\WINDOWS\\system32\\sistray.exe"=

 

R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2009-01-19 408064]

S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ihimjl.sys --> c:\windows\system32\drivers\ihimjl.sys [?]

S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.files-ftp.com/~unicorni/phpBB2/index.php

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\deep imagination\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-27 17:24:11

Windows 5.1.2600 Service Pack 2 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

Heure de fin: 2009-01-27 17:29:17

ComboFix-quarantined-files.txt 2009-01-27 16:29:12

 

Avant-CF: 27 615 322 112 octets libres

Après-CF: 27,562,921,984 octets libres

 

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

 

144

[angelique]

t'aurais pas eu une infection type Sality dernierement ??? cette ligne me met la puce à l'oreille:

S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ihimjl.sys --> c:\windows\system32\drivers\ihimjl.sys [?]

 

car abp470n5 est crée par Sality , preuve ici : http://www.threatexpert.com/report.aspx?md...5e3a2644dc258a2

 

ceci aurait du etre vu dans [emptytemp] de OT --> C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\winyxyupi.exe

 

et puis t'as un truc chelou :

File delete failed. C:\DOCUME~1\DEEPIM~1\LOCALS~1\Temp\dyari.exe scheduled to be deleted on reboot.

 

le nom en Temp est pas le meme et non trouvé /!\ , aléatoire.....!!! that is the question /!\

 

• ouvre ton bloc note[executer--notepad] et copies/colles le contenu du cadre ci dessous:

 

http://forum.zebulon.fr/rapport-ou-log-du-hijackthis-t158296.html

Collect::
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\nmdfgds0.dll
Driver::
FXDRV
abp470n5
File::
C:\w98.com
c:\windows\system32\drivers\ihimjl.sys
Folder::
C:\SDFix

 

[*]Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>

[*]Choisis "Enregistrer sous" et choisis "Bureau"

[*]Dans le champs "Nom du fichier" en bas de page donne le nom suivant:CFScript

[*]Clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"

[*]Quitte le Bloc Notes.

[*]Fait un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture

 

 

 

 

* suis les instructions

* Patiente le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

* Une fois le scan achevé, un rapport va s'afficher: poste son contenu.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

 

* Un fichier zippé sera créé dans c:\qoobox\quarantine > [4]-Submit_Date_Time.zip, il av donc falloir que tu upload ce fichier à cette adresse, merci:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

 

en precisant le lien de ta discussion :

Link to topic where this file was requested: http://forum.zebulon.fr/rapport-ou-log-du-hijackthis-t158296.html

 

 

• reposte avec le rapport un nouveau rapport HijackThis

[sooprano]

ok merci j'ai fais tous les etappes que tu m'as demander voila

 

Rapport comboFix

 

ComboFix 09-01-21.04 - deep imagination 2009-01-28 13:07:16.2 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.990.616 [GMT 1:00]

Lancé depuis: c:\documents and settings\deep imagination\Bureau\ComboFix.exe

Commutateurs utilisés :: c:\documents and settings\deep imagination\Bureau\CFScript.txt

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

* Un nouveau point de restauration a été créé

 

FILE ::

C:\w98.com

c:\windows\system32\drivers\ihimjl.sys

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\SDFix

c:\sdfix\Add_DBFix_RunOnce_key.inf

c:\sdfix\apps\assosfix.reg

c:\sdfix\apps\Cghtme.exe

c:\sdfix\apps\cliptext.exe

c:\sdfix\apps\DBFix.inf

c:\sdfix\apps\download.exe

c:\sdfix\apps\dummy.sys

c:\sdfix\apps\Enable_Command_Prompt.inf

c:\sdfix\apps\Enable_Command_Prompt.reg

c:\sdfix\apps\ERDNT.E_E

c:\sdfix\apps\ERDNTDOS.LOC

c:\sdfix\apps\ERDNTWIN.LOC

c:\sdfix\apps\ERUNT.EXE

c:\sdfix\apps\ERUNT.LOC

c:\sdfix\apps\fix.reg

c:\sdfix\apps\FixBeep.reg

c:\sdfix\apps\FixBH.reg

c:\sdfix\apps\FixComponents.reg

c:\sdfix\apps\FIXCU.reg

c:\sdfix\apps\FIXLM.reg

c:\sdfix\apps\FixPath.exe

c:\sdfix\apps\FixRedir.reg

c:\sdfix\apps\FixSchedule.reg

c:\sdfix\apps\FixWebCheck.reg

c:\sdfix\apps\fixXP.reg

c:\sdfix\apps\FixXPsp2.reg

c:\sdfix\apps\grep.exe

c:\sdfix\apps\HaxdFix.reg

c:\sdfix\apps\HPFix.reg

c:\sdfix\apps\HPFix2.reg

c:\sdfix\apps\HPFix3.reg

c:\sdfix\apps\HPFix4.reg

c:\sdfix\apps\HPFix5.reg

c:\sdfix\apps\HPFix6.reg

c:\sdfix\apps\HPFix7.reg

c:\sdfix\apps\HPFix8.reg

c:\sdfix\apps\HPFix9.reg

c:\sdfix\apps\Installed.txt

c:\sdfix\apps\isadmin.exe

c:\sdfix\apps\leg2.txt

c:\sdfix\apps\legacy.txt

c:\sdfix\apps\legacybk.txt

c:\sdfix\apps\locate.com

c:\sdfix\apps\LS.exe

c:\sdfix\apps\MD5File.exe

c:\sdfix\apps\moveex.exe

c:\sdfix\apps\MyGcpvFix.reg

c:\sdfix\apps\MyGkFix2.reg

c:\sdfix\apps\Process.exe

c:\sdfix\apps\procs.exe

c:\sdfix\apps\psservice.exe

c:\sdfix\apps\Rem.txt

c:\sdfix\apps\Rem2.txt

c:\sdfix\apps\Replace\regedit.exe

c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT

c:\sdfix\apps\Replace\w2k\beep.sys

c:\sdfix\apps\Replace\w2k\command.com

c:\sdfix\apps\Replace\w2k\command.PIF

c:\sdfix\apps\Replace\w2k\CONFIG.NT

c:\sdfix\apps\Replace\w2k\null.sys

c:\sdfix\apps\Replace\xp\AUTOEXEC.NT

c:\sdfix\apps\Replace\xp\beep.sys

c:\sdfix\apps\Replace\xp\command.com

c:\sdfix\apps\Replace\xp\command.PIF

c:\sdfix\apps\Replace\xp\CONFIG.NT

c:\sdfix\apps\Replace\xp\null.sys

c:\sdfix\apps\Reset_AppInit_DLLs.reg

c:\sdfix\apps\RestartIt!.exe

c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg

c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg

c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg

c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg

c:\sdfix\apps\Restore_SecurityCenter.reg

c:\sdfix\apps\Restore_SharedAccess.reg

c:\sdfix\apps\sc.exe

c:\sdfix\apps\sed.exe

c:\sdfix\apps\SF.exe

c:\sdfix\apps\shutdown.exe

c:\sdfix\apps\srv2.txt

c:\sdfix\apps\srv2bk.txt

c:\sdfix\apps\svc.txt

c:\sdfix\apps\svcbk.txt

c:\sdfix\apps\Swreg.exe

c:\sdfix\apps\swsc.exe

c:\sdfix\apps\UnRAR.exe

c:\sdfix\apps\unzip.exe

c:\sdfix\apps\vfind.exe

c:\sdfix\apps\WINMSG.EXE

c:\sdfix\apps\winsec.reg

c:\sdfix\apps\zip.exe

c:\sdfix\catchme.exe

c:\sdfix\DBFix.bat

c:\sdfix\dummy.sys

c:\sdfix\RunThis.bat

c:\sdfix\SDFIX_ReadMe_Online.url

c:\sdfix\W2K_VirusAlert_Repair.inf

c:\sdfix\XP_VirusAlert_Repair.inf

C:\w98.com

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

 

.

((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_FXDRV

-------\Service_abp470n5

-------\Service_FXDRV

 

 

((((((((((((((((((((((((((((( Fichiers créés du 2008-12-28 au 2009-01-28 ))))))))))))))))))))))))))))))))))))

.

 

2009-01-28 12:33 . 2009-01-28 12:33 <REP> d-------- c:\program files\Macromedia

2009-01-28 12:33 . 2009-01-28 12:33 <REP> d-------- c:\program files\Fichiers communs\Macromedia

2009-01-27 15:46 . 2009-01-27 15:46 <REP> d-------- C:\_OTMoveIt

2009-01-27 15:33 . 2009-01-27 15:33 <REP> d-------- c:\program files\Fichiers communs\Adobe

2009-01-27 13:51 . 2009-01-27 13:51 <REP> d-------- c:\program files\Spybot - Search & Destroy

2009-01-27 13:51 . 2009-01-27 14:06 <REP> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-27 13:11 . 2009-01-27 13:11 <REP> d-------- c:\program files\Prg Chris

2009-01-27 13:03 . 2009-01-27 13:03 <REP> d--h----- c:\windows\system32\GroupPolicy

2009-01-26 17:51 . 2009-01-26 18:37 <REP> dr-h----- C:\$VAULT$.AVG

2009-01-26 14:47 . 2009-01-27 17:58 <REP> d-------- c:\program files\EasyPHP1-8

2009-01-26 13:56 . 2009-01-27 14:22 <REP> d-------- c:\program files\ESET

2009-01-26 12:55 . 2009-01-26 12:55 <REP> d-------- c:\documents and settings\All Users\Application Data\ESET

2009-01-23 17:53 . 2009-01-23 17:53 0 --a------ c:\windows\nsreg.dat

2009-01-22 10:46 . 2005-05-17 15:24 311,296 --a------ c:\windows\system32\AegisI5.exe

2009-01-22 10:46 . 2006-01-18 09:08 290,918 --a------ c:\windows\system32\Install7x.dll

2009-01-22 10:46 . 2006-01-12 19:46 252,928 --a------ c:\windows\system32\drivers\rt73.sys

2009-01-22 10:46 . 2005-10-17 19:50 245,376 --a------ c:\windows\system32\drivers\rt2500usb.SYS

2009-01-22 10:46 . 2009-01-22 10:46 20,747 --a------ c:\windows\system32\drivers\AegisP.sys

2009-01-22 10:46 . 2005-11-30 11:33 2,048 --a------ c:\windows\system32\drivers\rt73.bin

2009-01-22 10:46 . 2005-08-19 15:51 138 --a------ c:\windows\filespec7x

2009-01-22 10:45 . 2009-01-22 10:45 <REP> d-------- c:\program files\RALINK

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-28 11:55 --------- d-----w c:\documents and settings\deep imagination\Application Data\AVG7

2009-01-22 09:45 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-20 11:07 --------- d-----w c:\documents and settings\All Users\Application Data\avg7

2009-01-19 12:49 --------- d-----w c:\program files\SMC

2009-01-19 12:49 --------- d-----w c:\program files\Fichiers communs\InstallShield

2009-01-19 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-01-19 12:45 --------- d-----w c:\program files\MSBuild

2009-01-19 12:45 --------- d-----w c:\program files\Microsoft Works

2009-01-19 12:14 --------- d-----w c:\program files\Analog Devices

2009-01-19 12:07 --------- d-----w c:\program files\sisagp

2009-01-19 12:07 --------- d-----w c:\program files\SiS VGA Utilities V3.67e

2009-01-19 11:54 --------- d-----w c:\program files\Silicon Integrated Systems

2009-01-19 11:51 499,712 ----a-w c:\windows\system32\msvcp71.dll

2009-01-19 11:51 348,160 ----a-w c:\windows\system32\msvcr71.dll

2009-01-19 11:51 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7

2009-01-19 11:51 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft

2009-01-19 11:49 --------- d-----w c:\program files\WinZip Self-Extractor

2009-01-19 11:34 --------- d-----w c:\program files\microsoft frontpage

2009-01-19 11:33 --------- d-----w c:\program files\Services en ligne

.

 

((((((((((((((((((((((((((((( snapshot@2009-01-27_17.24.30,53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-09-16 15:26:58 192,512 ----a-w c:\windows\Downloaded Installations\Macromedia Dreamweaver 8\DW_Client_Installer.exe

+ 2005-09-16 15:26:58 2,003,176 ----a-w c:\windows\Downloaded Installations\Macromedia Dreamweaver 8\WindowsInstaller-KB884016-v2-x86.exe

+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

+ 2009-01-28 11:33:17 65,536 ----a-r c:\windows\Installer\{3C8C9FB3-5FDF-40B4-B314-EAD722728C76}\EMARPPRODUCTICON.exe

+ 2009-01-28 11:34:02 65,536 ----a-r c:\windows\Installer\{5FD788ED-1A37-4496-9BDD-463F493B27FA}\DWARPPRODUCTICON.exe

- 2009-01-27 16:11:31 324,320 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-01-28 12:09:26 325,112 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-01-28 12:09:41 16,384 ----atw c:\windows\temp\Perflib_Perfdata_4cc.dat

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSRaid"="c:\program files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-03-01 970752]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-01-19 590848]

"SiSPower"="SiSPower.dll" [2005-05-26 c:\windows\system32\SiSPower.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2009-01-19 301056]

 

c:\documents and settings\deep imagination\Menu D‚marrer\Programmes\D‚marrage\

Anti-Autorun-inf.lnk - c:\program files\Prg Chris\Anti-Autorun.inf\Anti-Autorun.inf.exe [2009-01-27 251904]

 

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\

Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-01-22 667648]

SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-01-18 524288]

Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-01-19 266240]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

[HKLM\~\startupfolder\C:^Documents and Settings^deep imagination^Menu Démarrer^Programmes^Démarrage^Anti-Autorun-inf.lnk]

path=c:\documents and settings\deep imagination\Menu Démarrer\Programmes\Démarrage\Anti-Autorun-inf.lnk

backup=c:\windows\pss\Anti-Autorun-inf.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\SMC\\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\\SMCWGUTI.exe"=

"c:\\WINDOWS\\system32\\sistray.exe"=

"c:\\PROGRA~1\\EASYPH~1\\MySql\\bin\\mysqld.exe"=

"c:\\Program Files\\Silicon Integrated Systems\\SiSRaidPackage\\SRaid.exe"=

"c:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe"=

 

R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2009-01-19 408064]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.files-ftp.com/~unicorni/phpBB2/index.php

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\deep imagination\Application Data\Mozilla\Firefox\Profiles\topxmkkm.default\

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-28 13:09:51

Windows 5.1.2600 Service Pack 2 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

------------------------ Autres processus actifs ------------------------

.

c:\progra~1\Grisoft\AVG7\avgamsvr.exe

c:\progra~1\Grisoft\AVG7\avgupsvc.exe

c:\progra~1\Grisoft\AVG7\avgemc.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

.

**************************************************************************

.

Heure de fin: 2009-01-28 13:12:39 - La machine a redémarré

ComboFix-quarantined-files.txt 2009-01-28 12:12:36

ComboFix2.txt 2009-01-27 16:29:20

 

Avant-CF: 27 049 578 496 octets libres

Après-CF: 26,927,542,272 octets libres

 

266

 

Rapport de HiJackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:21, on 28/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\Prg Chris\Anti-Autorun.inf\Anti-Autorun.inf.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\deep imagination\Bureau\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [siSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Startup: Anti-Autorun-inf.lnk = C:\Program Files\Prg Chris\Anti-Autorun.inf\Anti-Autorun.inf.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O4 - Global Startup: SMCWUSB-G 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

--

End of file - 4403 bytes

[angelique]

• as tu bien uploadé c:\qoobox\quarantine > [4]-Submit_Date_Time.zip à cette adresse : http://www.bleepingcomputer.com/submit-malware.php?channel=4

 

??

 

• relance hijackThis " do a system scan only" , coche uniquement et clic Fixchecked la ligne ci dessous:

 

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

 

==> clic fixchecked

 

si le TeaTimer de spybot s'exite tu autorises la modification

 

• telecharge restoreregedit.vbs sur ton bureau , et execute le :

 

restoreregedit.vbs This is your download URL. It expires in 1 day.: http://senduit.com/6da1e0

 

• * Fais un scan en ligne Kaspersky

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

* Clique sur Accept

* Une barre jaune va te demander si tu acceptes d'installer le Kavwebscan_Unicode.cab, installe l'Active X.

* clique une nouvelle fois sur "Accept"

* Les bases de mises à jour vont s'installer, patiente un moment

* Clique sur Next.

* Clique sur My Computer, le scan se met en route; attends la fin du scan sans fermer la fenêtre sinon il s'arrêtera.Tu posteras le rapport en fin d'analyse.

 

tuto pour correctement scanner et poster le rapport:: http://www.malekal.com/scan_Av_en_ligne.php#mozTocId291566

[sooprano]

ok merci voila le rapport de kaspersky

 

KASPERSKY ONLINE SCANNER 7 REPORT

Wednesday, January 28, 2009

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, January 28, 2009 13:34:43

Records in database: 1720439

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

Scan area My Computer

A:\

C:\

D:\

E:\

Scan statistics

Files scanned 86475

Threat name 3

Infected objects 85

Suspicious objects 0

Duration of the scan 01:30:03

 

File name Threat name Threats count

C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe/C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\jusched.exe/C:\Program Files\Java\jre6\bin\jusched.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\RALINK\Common\RaUI.exe/C:\Program Files\RALINK\Common\RaUI.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe/C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe/C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\EasyPHP.exe/C:\Program Files\EasyPHP1-8\EasyPHP.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\IDEUtil\SISIDE.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\Adobe Creative CS4\Adobe_CS4 crack\Adobe CS4 Master Collection and Activation by P!mPdoG\Adobe CS4 Master Collection_ACTIVATION PATCH by P!mPdOG(2).exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\Adobe Creative CS4\Adobe_CS4 crack\Adobe CS4 Master Collection and Activation by P!mPdoG\Adobe Master Collecion CS4 KEYGEN by P!mPdOG.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\Adobe Creative CS4\Adobe_CS4 crack\Adobe CS4 Master Collection Windows ISO FIX repack FINAL\PowerISO.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\Adobe Creative CS4\Adobe_CS4 crack\keygen patched\keygen.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\Adobe Creative CS4\Adobe_CS4 crack\Universal Adobe Cs4 Complete Patcher By Dell T\Universal Adobe Cs4 Complete Patcher By Dell T.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\ComboFix.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\HiJackThis.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\jxpiinstall-6u11-fcs-bin-b90-windows-i586-25_nov_2008.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\Logiciel\install_flash_player.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\Logiciel\mozilla-firefox_mozilla_firefox_3.0.5_francais_11003.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\SDFix.exe Infected: Virus.Win32.Sality.aa 1

C:\Documents and Settings\deep imagination\Bureau\xpiinstall-6u11-fcs-bin-b90-windows-i586-25_nov_2008.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Printme\ConsoleApp.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Adobe\Acrobat 6.0\Reader\Updater\acroaum.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\AEEnable.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\DLSLdr.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\install.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\RemADI.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\RemDev.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\Remove.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\SMAgentI.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\SMAgentX.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\SMax4.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Analog Devices\SoundMAX\SMax4Wiz.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\apache\bin\htdigest.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\apache\bin\htpasswd.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\apache\bin\rotatelogs.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\EasyPHP.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\mysql\bin\mysql.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\mysql\bin\mysqladmin.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\mysql\bin\mysqldump.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\EasyPHP1-8\php\php.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\ESET\Install\setup.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Fichiers communs\InstallShield\Driver\8\Intel 32\IDriver.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Fichiers communs\InstallShield\Driver\8\Intel 32\IDriver2.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE12\ACECNFLT.EXE Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Grisoft\AVG7\avgchk75.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Grisoft\AVG7\avginet.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Grisoft\AVG7\avgscan.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Grisoft\AVG7\avgupdln.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Grisoft\AVG7\avgvv.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Grisoft\AVG7\avgw.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Grisoft\AVG7\setup.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\InstallShield Installation Information\{08498FF9-6C9B-4FC2-8DE1-BD98C89CC220}\setup.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\InstallShield Installation Information\{DC226AC9-0314-496C-BE6A-B6A132628466}\setup.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\InstallShield Installation Information\{E672B767-4483-419E-9C8A-0CE59390E79E}\setup.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\InstallShield Installation Information\{E91E8912-769D-42F0-8408-0E329443BABC}\setup.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\java-rmi.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\javaw.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\javaws.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\jbroker.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\jp2launcher.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\jqsnotify.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\jureg.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\jusched.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\keytool.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\kinit.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\klist.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\pack200.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\policytool.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\rmid.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\rmiregistry.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\servertool.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\ssvagent.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\tnameserv.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Java\jre6\bin\unpack200.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\RALINK\Common\RaUI.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\Sraid.exe Infected: Virus.Win32.Sality.aa 1

C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe Infected: Virus.Win32.Sality.aa 1

C:\Qoobox\Quarantine\C\w98.com.vir Infected: Virus.Win32.Sality.aa 1

C:\Qoobox\Quarantine\[4][email protected] Infected: Trojan-GameThief.Win32.Magania.atyd 1

C:\Qoobox\Quarantine\[4][email protected] Infected: Trojan-GameThief.Win32.Magania.audk 1

C:\WINDOWS\Downloaded Installations\Macromedia Dreamweaver 8\DW_Client_Installer.exe Infected: Virus.Win32.Sality.aa 1

C:\_OTMoveIt\MovedFiles\01272009_154657\WINDOWS\system32\olhrwef.exe Infected: Virus.Win32.Sality.aa 1

D:\w98.com Infected: Virus.Win32.Sality.aa 1

The selected area was scanned.

[angelique]

et ouai j'avais raison SALITY , c'est le pire qui se fait , ça infecte tous les EXE de ton pc /!\, meme ton antivirus est patché Sality

 

• ftp://ftp.kaspersky.com/devbuilds/AVPTool

 

Télécharge la dernière version de AVP Tool et enregistre-le sur ton bureau.

Installe-le en double-cliquant sur Setup_7.0.0.xxx.

 

ftp://ftp.kaspersky.com/devbuilds/AVPTool....2009_18-00.exe

 

Si ta suite de sécurité rouspète, désactive-là un instant pour installer l'outil de désinfection de Kaspersky.

 

Redémarre le pc en mode sans échec:

Redémarre en mode Sans Échec : au redémarrage, tapote immédiatement la touche F8 ; tu verras un écran avec choix de démarrages apparaître. Utilisant les flèches du clavier, choisis "Mode Sans Échec" et valide avec "Entrée". Choisis ton compte usuel, et non Administrateur.

 

 

Ouvre le dossier jaune de Kaspersky sur le bureau: double-clic sur le K rouge setup, coche TOUTES les cases puis clique sur Scan.

 

A la fin si des objets sont découverts, clique sur Neutralize all.Si la possibilité de choisir Desinfect est proposé , fait le!!!

 

Clique sur Reports/Save to file --> nomme le fichier texte "Rapport kav" et colle ce rapport dans te réponse.

 

Ferme l'outil, on le désinstallera plus tard selon le rapport, il ne doit pas rester sur le pc car il évolue tous les jours!

 

=== quand dans mes messages précédents je pose une question suivi d'Un ? , c'est sympa d'y répondre ===