winupgro.exe installé sur ma machine

[Mark]

Bonsoir act ;

 

Merci pour ta patience

 

Fascinant ce XP 64. Là j'ai quelques trucs à te faire vérifier avant de "fixer" quoique ce soit, par prudence. Des choses toutes simples :

 

==============

 

Je veux m'assurer que tu puisses bien voir tous les fichiers cachés, comme ceci :

 

1. Ferme tous les programmes/fenêtres afin de te retrouver sur le Bureau.
   
2. Double-clique sur le Poste de Travail
   
3. Du menu Outils, clique Options des dossiers...
   
4. De la nouvelle fenêtre, choisis l'onglet Affichage
   
5. Sous Fichiers et dossiers, coche la case Afficher le contenu des dossiers système
   
6. Sous Fichiers et dossiers cachés, clique le bouton Afficher les fichiers et dossiers cachés
   
7. Décoche la case Masquer les extensions des fichiers dont le type est connu
   
8. Décoche la case Masquer les fichiers protégés du système d'exploitation (recommandé)
   
9. Clique le bouton Appliquer puis OK. Ferme les fenêtres du Poste de travail.
   

 

Ensuite...

 

1) Va sur le site de VirusTotal, c'est par là >>

http://www.virustotal.com/fr/

 

- Clique sur "Parcourir..." et recherche le fichier suivant :

 

C:\WINDOWS\system32\Explorer.exe

 

- Double-clique dessus pour le sélectionner

- Clique maintenant sur le bouton "Envoyer le fichier"

- Possible que tu sois mis en file d'attente ; il faut alors patienter

- Possible qu'on te dise que le fichier ait déjà été analysé ; si c'est le cas, choisis une nouvelle analyse.

- Les résultats d'analyse apparaîtront progressivement ; cela ne prend qu'une ou deux minutes.

- Lorsque terminé, copie/colle le rapport ici, dans ta réponse.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

2) Dis-moi si ce fichier existe sur ta machine (via l'Explorateur ou le Poste de Travail) :

 

C:\WINDOWS\SysWOW64\Explorer.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

3) Essaie le mode Sans Échec, juste pour voir s'il fonctionne. D'habitude, Bagle le massacre et il est inutilisable. Je suis juste curieux quant au comportement de l'infection sous XP 64 (sous Seven 64 Bits, le mode Sans Échec n'est pas perturbé). Pour atteindre le mode Sans Échec, tu n'as qu'à redémarrer la machine et ensuite tu tapotes la touche F8 juste après le "Bip", lors du démarrage. Choisis le mode "Sans Échec" de la liste et valide. Si ça fonctionne, parfait, tu peux redémarrer en mode Normal. Si Bagle a attaqué les clés SafeBoot, la machine redémarrera d'elle-même en mode Normal.

 

Merci pour tout ça, et à bientôt pour la suite

[act]

Bonsoir Qc001

Bon, ok pour les manips, mais je bosse dans un studio d'enregistrement et j'ai un emploi du temps un peu particulier, Donc il se peut que je ne puisse rien faire d'ici dimanche prochain, disons que ce jour là j'aurais un peu de temps devant moi.

Je vais essayer de voir avant car j'aimerais vraiment régler mon problème.

Merci, bonne nuit et à très vite.

Ciao

[Mark]

Oké. Je peux peut-être accélérer tout ça.

 

Je viens tout juste de tester un outil sous W7 et ça a nettoyé Bagle de façon satisfaisante. Il ne me reste qu'à vérifier en profondeur, mais le plus gros a été enlevé.

 

Cet outil devrait tourner sans problème sous XP 64 également, alors voici :

(tu fais ça si tu as le temps ; si tu dois reporter à dimanche, je préférerais que tu regardes pour mes questions précédentes avant de lancer cet outil).

=====================

 

Télécharge Malwarebytes' Anti-Malware du lien suivant :

 

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

 

• Installe-le puis lance-le
  
• De l'onglet "Mise à jour", clique sur le bouton "Recherche de mise à jour": si le pare-feu demande l'autorisation à MBAM de se connecter, accepte.
  
• Une fois la mise à jour terminée, rends-toi dans l'onglet "Recherche" ;
  
• Sélectionne "Exécuter un examen rapide"
  
• Clique sur "Rechercher"
  
• L'analyse sera lancée ;
  
• Lorsque complétée, un message s'affichera indiquant la fin de l'analyse. Clique sur "OK" pour poursuivre.
  
• Ferme tes navigateurs
  
• Si des malwares ont été détectés, leur liste s'affichera.
  En cliquant sur Suppression (ou équivalent) , MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.
  
• MBAM va ouvrir le Bloc-notes et y copier le rapport d'analyse. Copie-colle ce rapport et poste-le dans ta réponse.
  

 

@bientôt

[act]

Salut Qc001,

 

Bon hier soir très rapidement j'ai tenté de faire les tests sur le fichier "explorer.exe"

Alors tout d'abord à ma surprise le fichier C:\WINDOWS\system32\Explorer.exe n'est pas dans dans le répertoire "system32" mais dans "WINDOWS", j'ai commencé à lancer l'analyse mais je n'ai pas pu attendre la finalisation, je vais essayer de reprendre ça au plus vite.

 

Ensuite en ce qui concerne le fichier "C:\WINDOWS\SysWOW64\Explorer.exe" il est bien présent.

 

J'attaque la suite au plus vite.

Merci et bonne journée.

[act]

salut,

 

J'ai trouvé un petit moment pour enfin tester "explorer.exe".

J'ai sauvé le rapport au format texte et je n'y comprend rien, le voici.

 

Antivirus Version Dernière mise à jour Résultat a-squared 4.0.0.101 2009.03.19 - AhnLab-V3 5.0.0.2 2009.03.19 - AntiVir 7.9.0.120 2009.03.19 - Authentium 5.1.2.4 2009.03.19 - Avast 4.8.1335.0 2009.03.19 - AVG 8.5.0.283 2009.03.19 - BitDefender 7.2 2009.03.19 - CAT-QuickHeal 10.00 2009.03.19 - ClamAV 0.94.1 2009.03.19 - Comodo 1066 2009.03.18 - DrWeb 4.44.0.09170 2009.03.19 - eSafe 7.0.17.0 2009.03.19 - eTrust-Vet None 2009.03.09 - F-Prot 4.4.4.56 2009.03.19 - F-Secure 8.0.14470.0 2009.03.19 - Fortinet 3.117.0.0 2009.03.19 - GData 19 2009.03.19 - Ikarus T3.1.1.48.0 2009.03.19 - K7AntiVirus 7.10.676 2009.03.19 - Kaspersky 7.0.0.125 2009.03.19 - McAfee 5558 2009.03.19 - McAfee+Artemis 5558 2009.03.19 - McAfee-GW-Edition 6.7.6 2009.03.19 - Microsoft 1.4502 2009.03.19 - NOD32 3948 2009.03.19 - Norman 6.00.06 2009.03.19 - nProtect 2009.1.8.0 2009.03.19 - Panda 10.0.0.10 2009.03.19 - PCTools 4.4.2.0 2009.03.19 - Prevx1 V2 2009.03.19 - Rising 21.21.32.00 2009.03.19 - Sophos 4.39.0 2009.03.19 - Sunbelt 3.2.1858.2 2009.03.19 - Symantec 1.4.4.12 2009.03.19 - TheHacker 6.3.3.0.285 2009.03.19 - TrendMicro 8.700.0.1004 2009.03.19 - VBA32 3.12.10.1 2009.03.18 - ViRobot 2009.3.19.1656 2009.03.19 - VirusBuster 4.6.5.0 2009.03.19 -

 

Information additionnelle File size: 1364480 bytes MD5...: ae7a08c05f72a9242734c03230a5cd7f SHA1..: 529439656b329a08a3570703e97d37fc114c4b35 SHA256: c960594228cd932c7769bcc04b9f74858368081b5941b39f434e1100568204f3 SHA512: e422555dc361706d2faabff32d8e8d8e1b727c5471caa55d206851be3273da78

7789ed03c824f71019de823e75db206308e76162c3abcf966115b24f7e9f5403 ssdeep: 24576:RfpGPXECAyAGl2QzfNjBNiDaakf86+s61/g/J/:JpGPXEC7l2QzlzFakf8

f

PEiD..: - TrID..: File type identification

Win64 Executable Generic (95.5%)

Generic Win/DOS Executable (2.2%)

DOS Executable Generic (2.2%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x23030

timedatestamp.....: 0x45d699d7 (Sat Feb 17 05:59:51 2007)

machinetype.......: 0x8664 (AMD64)

 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x850b8 0x85200 6.20 028160c325ba37fb91fe5ed97a5c0246

.data 0x87000 0x2c98 0x2200 1.05 69fe1da9844e01de2906139c8f0db1ba

.pdata 0x8a000 0xece8 0xee00 5.97 e6779a8453df4c4711d154bc2dcf3767

.rsrc 0x99000 0xb60c0 0xb6200 6.49 d53111a688f50e1295b86130ff61eb06

.reloc 0x150000 0x80c 0xa00 4.71 2f6ef6dbfa3e04f307f2256f8b29ae74

 

( 13 imports )

> msvcrt.dll: realloc, malloc, memmove, _itow, memset, memcmp, __C_specific_handler, memcpy, free, _vsnwprintf

> ADVAPI32.dll: RegSetValueExW, RegEnumKeyW, RegQueryValueW, RegEnumKeyExW, GetUserNameW, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyW, RegCloseKey, RegCreateKeyExW, RegSetValueW, RegQueryValueExW, RegQueryInfoKeyW, RegDeleteValueW, RegEnumValueW, RegOpenKeyExW, RegNotifyChangeKeyValue

> KERNEL32.dll: DeleteCriticalSection, SetProcessShutdownParameters, ReleaseMutex, CloseHandle, GetWindowsDirectoryW, LocalFree, ResumeThread, CreateThread, ExpandEnvironmentStringsW, LeaveCriticalSection, EnterCriticalSection, ResetEvent, CompareFileTime, GetCurrentThread, GetSystemTimeAsFileTime, GetUserDefaultLangID, Sleep, GetBinaryTypeW, SetThreadPriority, GetThreadPriority, LoadLibraryExA, GetCurrentThreadId, GetEnvironmentVariableW, UnregisterWait, FindFirstFileW, SystemTimeToFileTime, GetModuleHandleExW, SetEvent, GetFileAttributesW, lstrcmpiA, MoveFileW, FindClose, GetLocalTime, RegisterWaitForSingleObject, GlobalGetAtomNameW, FindNextFileW, GetCurrentProcessId, GetDateFormatW, GetTimeFormatW, GetSystemWindowsDirectoryW, lstrcpynW, FlushInstructionCache, OpenEventW, SetLastError, HeapReAlloc, HeapAlloc, HeapFree, GetUserDefaultLCID, GetProcessHeap, OpenProcess, ReadProcessMemory, HeapSize, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InterlockedPushEntrySList, VirtualFree, VirtualAlloc, InterlockedPopEntrySList, lstrlenW, DelayLoadFailureHook, ExitProcess, GetModuleHandleA, CreateIoCompletionPort, lstrcmpiW, DeviceIoControl, CreateEventW, LocalAlloc, GetProcAddress, ActivateActCtx, GetLastError, GetStartupInfoW, CreateFileW, GetModuleFileNameW, TerminateProcess, HeapDestroy, AssignProcessToJobObject, GetLocaleInfoW, TerminateThread, LoadLibraryW, GetSystemDirectoryW, InitializeCriticalSection, GetPrivateProfileStringW, GetTickCount, GetModuleHandleW, GetSystemDefaultLCID, WaitForSingleObject, CreateJobObjectW, GetCurrentProcess, GetQueuedCompletionStatus, DeactivateActCtx, GetFileAttributesExW, CreateProcessW, FreeLibrary, CreateEventA, SetErrorMode, SetPriorityClass, LoadLibraryExW, MulDiv, SetInformationJobObject, CreateMutexW, GetCommandLineW, GlobalAlloc, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount, RaiseException

> ntdll.dll: NtQueryInformationProcess, RtlNtStatusToDosError

> GDI32.dll: CreatePatternBrush, GetStockObject, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, GetTextMetricsW, GetClipRgn, GetViewportOrgEx, PatBlt, SetViewportOrgEx, SelectClipRgn, GetBkColor, CreateRectRgn, IntersectClipRect, BitBlt, DeleteDC, SetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, ExtTextOutW, OffsetWindowOrgEx, GetTextExtentPointW, CreateRectRgnIndirect, GetObjectW, GetClipBox, SetTextColor, CreateFontIndirectW, SetBkMode, DeleteObject, SelectObject, TranslateCharsetInfo, GetDeviceCaps, SetStretchBltMode

> USER32.dll: GetSubMenu, LoadMenuW, GetSysColorBrush, RemoveMenu, AllowSetForegroundWindow, GetDlgItemInt, SetParent, SetDlgItemInt, CheckDlgButton, EnableWindow, GetMessagePos, CopyIcon, DrawFocusRect, AdjustWindowRectEx, SendNotifyMessageW, SetWindowPlacement, SetCursor, EnumDisplayMonitors, TranslateAcceleratorW, SetWindowRgn, RemovePropW, GetWindowLongPtrA, MonitorFromPoint, PostQuitMessage, ChangeDisplaySettingsW, LoadImageW, SetCapture, MessageBeep, SubtractRect, WindowFromPoint, ExitWindowsEx, DrawEdge, SetPropW, WaitMessage, LoadAcceleratorsW, InflateRect, ChildWindowFromPoint, GetWindowPlacement, OffsetRect, SetRect, IntersectRect, SetCursorPos, AppendMenuW, GetDCEx, GetClassNameW, GetDlgItem, EndDialog, RedrawWindow, SendDlgItemMessageW, SendMessageTimeoutW, LoadBitmapW, GetActiveWindow, RegisterClassW, SetWindowLongPtrW, UnregisterHotKey, SendMessageW, EnumChildWindows, GetWindowLongW, RegisterWindowMessageW, DispatchMessageW, GetShellWindow, DestroyMenu, GetSystemMetrics, MessageBoxW, CreatePopupMenu, LoadStringW, ReleaseDC, GetDlgCtrlID, RegisterHotKey, CallWindowProcW, CheckMenuItem, CopyRect, MonitorFromRect, MoveWindow, EndPaint, ClientToScreen, PeekMessageW, SystemParametersInfoW, TranslateMessage, GetDC, GetDoubleClickTime, FindWindowW, EnumDisplaySettingsExW, GetMenuDefaultItem, GetKeyState, PostMessageW, CharNextW, GetMessageW, EnumDisplayDevicesW, SetMenuItemInfoW, GetMenuItemInfoW, DestroyWindow, InternalGetWindowText, GetSystemMenu, SetTimer, ScreenToClient, GetWindowRect, SetActiveWindow, TrackPopupMenu, ShowWindowAsync, IsIconic, FillRect, GetMenuItemID, DrawTextW, KillTimer, IsZoomed, GetLastActivePopup, SetForegroundWindow, GetFocus, GetParent, IsHungAppWindow, LoadCursorW, GetWindowInfo, IsWindowEnabled, OpenInputDesktop, GetWindowLongPtrW, GetClientRect, SetFocus, CloseDesktop, ModifyMenuW, BeginPaint, EnumWindows, PtInRect, GetClassInfoExW, GetIconInfo, GetForegroundWindow, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, GetWindowLongA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowLongW, PrintWindow, SetClassLongW, GetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongPtrA, DrawCaption, RegisterClassExW, LoadIconW, TrackPopupMenuEx, GetAsyncKeyState, GetScrollInfo, UnionRect, InvalidateRect, CascadeWindows, BringWindowToTop, TileWindows, GetClassLongPtrW, SetScrollPos, EnableMenuItem, MonitorFromWindow, GetMenuState, GetDesktopWindow, GetSysColor, SetWindowPos, GetCursorPos, SendMessageCallbackW, ShowWindow, IsDlgButtonChecked, GetMenuItemCount, IsWindow, SetMenuDefaultItem, InsertMenuW, EqualRect, IsWindowVisible, SwitchToThisWindow, MapWindowPoints, UpdateWindow, SetWindowTextW, DestroyIcon, SetScrollInfo, GetMonitorInfoW, DefWindowProcW, GetWindowThreadProcessId, GetWindow, EndTask, IsRectEmpty, CharUpperBuffW, DeleteMenu

> SHLWAPI.dll: StrCpyNW, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, -, -, -, SHGetValueW, -, -, -, PathGetArgsW, PathFindFileNameW, SHRegCloseUSKey, StrStrIW, SHRegWriteUSValueW, PathRemoveBlanksW, -, SHSetThreadRef, PathAppendW, SHRegCreateUSKeyW, StrCmpNIW, -, -, -, -, SHSetValueW, SHCreateThreadRef, PathQuoteSpacesW, SHRegGetBoolUSValueW, -, SHRegGetUSValueW, StrToIntW, PathRemoveArgsW, -, -, PathCombineW, -, -, -, AssocQueryKeyW, -, AssocQueryStringW, PathIsPrefixW, PathParseIconLocationW, StrCmpW, -, SHStrDupW, -, -, -, PathStripToRootW, -, PathIsDirectoryW, PathFindExtensionW, -, PathRemoveFileSpecW, -, SHRegSetUSValueW, StrChrW, PathGetDriveNumberW, -, -, PathFileExistsW, -, -, SHRegQueryUSValueW, -, SHRegOpenUSKeyW, -, -, -, SHOpenRegStream2W, -, StrCatBuffW, StrCmpIW, SHDeleteValueW, SHDeleteKeyW, StrDupW, -, -, wnsprintfW, -, -, StrCatW, StrCpyW, -, -, -, StrCmpNW, -, -

> SHELL32.dll: -, -, -, -, SHGetFolderPathW, SHGetSpecialFolderLocation, -, -, ExtractIconExW, -, -, -, -, -, SHUpdateRecycleBinIcon, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, SHAddToRecentDocs, -, SHChangeNotify, SHGetDesktopFolder, -, DuplicateIcon, SHGetFolderLocation, -, -, -, SHGetPathFromIDListW, SHGetPathFromIDListA, -, -, -, -, -, -, -, -, -, -, -, -, -, -

> ole32.dll: CoUninitialize, CoRegisterClassObject, CoRevokeClassObject, CoMarshalInterThreadInterfaceInStream, CreateBindCtx, CoCreateInstance, OleInitialize, OleUninitialize, CoTaskMemFree, RegisterDragDrop, CoFreeUnusedLibraries, DoDragDrop, CoInitializeEx, RevokeDragDrop

> OLEAUT32.dll: -, -

> BROWSEUI.dll: -, -, -, -

> SHDOCVW.dll: -, -, -

> UxTheme.dll: GetThemeFont, GetThemeMargins, GetThemeColor, GetThemeRect, GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, CloseThemeData, GetThemeTextExtent, DrawThemeParentBackground, DrawThemeBackground, SetWindowTheme, OpenThemeData, DrawThemeText, IsAppThemed, -, GetThemeBackgroundRegion

 

( 0 exports )

[act]

Alors la suite maintenant.

J'ai essayé de démarrer une fois en mode sans échec avec la touche F8 mais rien à faire il démarre en mode normal.

Il faudrait que je fasse un autre test j'ai fait le premier dans l'urgence, donc je ne suis pas sûr d'avoir appuyé sur la touche au bon moment.

J'ai ensuite passer Malwarebytes' Anti-Malware après l'avoir mis à jour.

J'ai plusieurs rapport car il me signalais qu'il pourrait désinstaller certain fichiers (winupgro.exe par exemple) après un redémarrage. Mais après chaque redémarrage winupgro.exe était toujours présent.

J'ai donc lancé Malwarebytes' Anti-Malware à plusieurs reprises mais toujours le même résultat au redémarrage.

J'ai donc mis manuellement le fichier winupgro.exe et le dossier m à la corbeille que j'ai bien évidemment vidé.

J'ai redémarré une dernière fois et au désespoir winupgro.exe était toujours là avec une série de fichiers indésirables (voir le dernier rapport)

 

Premier rapport "mbam-log-2009-03-19 (19-44-14)"

 

Malwarebytes' Anti-Malware 1.34

 

Version de la base de données: 1871

 

Windows 5.2.3790 Service Pack 2

 

 

 

19/03/2009 19:44:14

 

mbam-log-2009-03-19 (19-44-14).txt

 

 

 

Type de recherche: Examen rapide

 

Eléments examinés: 67506

 

Temps écoulé: 1 minute(s), 41 second(s)

 

 

 

Processus mémoire infecté(s): 3

 

Module(s) mémoire infecté(s): 0

 

Clé(s) du Registre infectée(s): 3

 

Valeur(s) du Registre infectée(s): 3

 

Elément(s) de données du Registre infecté(s): 1

 

Dossier(s) infecté(s): 3

 

Fichier(s) infecté(s): 138

 

 

 

Processus mémoire infecté(s):

 

C:\Documents and Settings\Administrator\Application Data\m\flec006.exe (Trojan.Agent) -> Failed to unload process.

 

C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe (Trojan.Agent) -> Unloaded process successfully.

 

C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Unloaded process successfully.

 

 

 

Module(s) mémoire infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Clé(s) du Registre infectée(s):

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa (Rootkit.Bagle) -> Quarantined and deleted successfully.

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa (Rootkit.Bagle) -> Quarantined and deleted successfully.

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa (Rootkit.Bagle) -> Quarantined and deleted successfully.

 

 

 

Valeur(s) du Registre infectée(s):

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Quarantined and deleted successfully.

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Trojan.Agent) -> Quarantined and deleted successfully.

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\german.exe (Trojan.Spammer) -> Quarantined and deleted successfully.

 

 

 

Elément(s) de données du Registre infecté(s):

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

 

 

Dossier(s) infecté(s):

 

C:\WINDOWS\system32\Drivers\down (Trojan.Downloader) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m (Trojan.Agent) -> Delete on reboot.

 

C:\Documents and Settings\Administrator\Application Data\m\shared (Trojan.Agent) -> Quarantined and deleted successfully.

 

 

 

Fichier(s) infecté(s):

 

C:\WINDOWS\system32\Drivers\down\410828.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

C:\WINDOWS\system32\Drivers\down\475296.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

C:\WINDOWS\system32\Drivers\down\486000.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.

 

C:\Documents and Settings\Administrator\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\007 Proxy Finder 1.61.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\1 Cool Password Tool Build 040721-2331.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\12Ghosts FileDate 8.11.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\3GP PSP iPod Converter 1.0.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\4Musics CDA to MP3 Converter 4.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\5star freeTunes 1.2.1.927 Patch.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\A-one Video to RM Converter 6.2.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Acta Importer for Spotlight 1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Add Bookmark Here 0.5.8.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Advanced Biorhythms 2008 2.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Air1 Radio Player 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Alldj DVD Ripper 3.3.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\American Dream Font 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\aTunes 1.8.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\AuditISX 2.55.2391.16182.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\aumpel 2.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\AutoHide 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\AutoMe 3.00 Build 165.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Avast!.Antivirus.4.6.691.Professional.Edition.+.Crack.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Avast!.PRO.v4.7.ITA.+.skin.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\AVIToolbox 1.6.1.25 (Patch).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Battlezone Upgrade Patch 1.8.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\BoogiePOP Enterprise 4.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\CD Ripper Deluxe 2.6 Key+Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Celtx 0.9.9.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\CityCode PSC 3.0.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Constructor 8.01 SP1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Cool All Video to iPod Converter 6.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\DarkBASIC 1.13.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Deng Google Bookmarks 1.0.0.16.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\DGenR8 2.6.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Digi Date 1.0.0.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Direct MP3 Splitter Joiner 2.5.0.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Disk Image Viewer 0.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Easy Watermark Creator 1.6.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Edit As New 0.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\EM2GM 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Estard Data Miner 1.4 [Crack].zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Ewido.Anti-SpywAre.v4.0.0.172a.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\EZMem Optimizer 2.0.26.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Femta 1.21 [Crack].zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\FileTypesMan 1.06.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Flash Screen Saver Builder 2.0 (KeyGen).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Folder Comparison 2002.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Great Stella 4.1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Implementing and Administering a Microsoft Windows 2000 Directory Services 6.09.05.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\IntelliPoker.NET 1.0.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Interactive Voice Guide 4.7.25 (KeyGen).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\IPSender 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\IronHero 1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Jungle Fever.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Key Extender 3.9 [With Crack].zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\LaTeX Macros 1.09.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\LaunchIt NOW! 1.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Learn To Speak French 3.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\LingvoSoft Talking Dictionary 2008 English Russian 4.1.29.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Madeira Web Cams 1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Managed extensions for VCL 2.00.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\MechWarrior 4 Vengeance - River Valley map.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Memory Monitor 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Mihov Index Maker 1.50.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\MpSoft Internet Cafe Guard 9.01.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\MS Access 2007 Ribbon to Old Classic Menu Toolbar Interface Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\MSN Group Downloader 1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\MSN Winks Magic 2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\MSSQL-to-MySQL 3.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\MVTools 1.11.4.4.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\My Empire 2.0 KeyGen.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\NASA Moon as seen from Earth 1.0.0.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Ninja Penguin.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Nixie CLock 1.0.1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\NOD32.2.50.16.CZ.-.plná.verze.+.heslo.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\NotJustBrowsing 1.0.10.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\OJOsoft M4A Converter 2.0.0.0430.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Omni Encoder 1.2.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\orangeCalc 2005 1.40 [With Crack].zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Outlook Loader 1.4.1001.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Password Guard 2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\PDF Conversion Series - PDF2TXT 1.1 build 1115.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\PDF Merge-Split 1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Picture Viewer 1.0.57.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Ping Terminal 2.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Point Cloud 1.0.1 Key+Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\PowerDVD 8.0.2217.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Presentation Manager 2.01 (With Crack).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Resolve for BagleDl-AB 1.07.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Rich Mailer 3.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Royal Business Ebook Package 1.0 With Crack.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\RuleLab.Net Server 1.7 Cracked.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Runprog 1.0.28.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Screen Ruler Opera Widget 1.7.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\SDI FTP 2.5.1e.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Server Nanny Network Monitor 4.0.0 (Key).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Simple Downloader 1.0a.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\SiteScope 8.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Smart Kid - Learning Addition 1.7.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Sound Laundry 2.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Spyware Adware Alert SE 2007.5 1.5 Patch.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Subtitles Modifier 2.92.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Super calculator 1.00.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\SuperAntiSpyware Professional 3.2.0.1028.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\SurfSecret PopupElimiantor 4.02 Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Sweetheart Monitor 1.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\SwitchInspector 1.3.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Synclosure 0.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Tech-Pro World Clock 2.1 (Key+Serial).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Text to Image 1.1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\The Kangaroo Jack Outback Bola 1.0 (Mac).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\The NFL Internet Picksheet 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\TIT - The Information Temp 0.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\TMPGEnc 2.524.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Toonworks Deluxe 1.0.408.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Total Surveillance 360 1.2.0.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Unreal Tournament 2003 - Hurt Conveyor skin.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Unreal Tournament 2003 - Proximity Mine mod 1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Virtual Layout Artist 1.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Virtual SoundFont Manager 3.20.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Web SiteGrabber 1.1 (Patch).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\winButler 1.1.7.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\Winnovative RTF to PDF Converter 1.0 (With Crack).zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\WinXMedia DVD iPod Video Converter 3.03 Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\WorshipCenter Pro 2.7.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\y.Panda.1960.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\m\shared\yvReminder 3.2.2477.32951.zip (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe (Trojan.Agent) -> Delete on reboot.

 

C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and deleted successfully.

 

C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\drivers\srosa2.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.

 

 

 

 

Deuxième rapport "mbam-log-2009-03-19 (19-55-35)"

 

Malwarebytes' Anti-Malware 1.34

 

Version de la base de données: 1871

 

Windows 5.2.3790 Service Pack 2

 

 

 

19/03/2009 19:55:35

 

mbam-log-2009-03-19 (19-55-35).txt

 

 

 

Type de recherche: Examen rapide

 

Eléments examinés: 67472

 

Temps écoulé: 1 minute(s), 43 second(s)

 

 

 

Processus mémoire infecté(s): 2

 

Module(s) mémoire infecté(s): 0

 

Clé(s) du Registre infectée(s): 2

 

Valeur(s) du Registre infectée(s): 2

 

Elément(s) de données du Registre infecté(s): 0

 

Dossier(s) infecté(s): 1

 

Fichier(s) infecté(s): 5

 

 

 

Processus mémoire infecté(s):

 

C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe (Trojan.Agent) -> Failed to unload process.

 

C:\Documents and Settings\Administrator\Application Data\m\flec006.exe (Trojan.Agent) -> Failed to unload process.

 

 

 

Module(s) mémoire infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Clé(s) du Registre infectée(s):

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa (Rootkit.Bagle) -> Quarantined and deleted successfully.

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa (Rootkit.Bagle) -> Quarantined and deleted successfully.

 

 

 

Valeur(s) du Registre infectée(s):

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Quarantined and deleted successfully.

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Trojan.Agent) -> Quarantined and deleted successfully.

 

 

 

Elément(s) de données du Registre infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Dossier(s) infecté(s):

 

C:\Documents and Settings\Administrator\Application Data\m (Trojan.Agent) -> Delete on reboot.

 

 

 

Fichier(s) infecté(s):

 

C:\Documents and Settings\Administrator\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.

 

C:\Documents and Settings\Administrator\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe (Trojan.Agent) -> Delete on reboot.

 

C:\Documents and Settings\Administrator\Application Data\drivers\srosa2.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.

 

C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.

[act]

Troisième et dernier rapport "mbam-log-2009-03-19 (20-17-25)"

 

Malwarebytes' Anti-Malware 1.34

 

Version de la base de données: 1871

 

Windows 5.2.3790 Service Pack 2

 

 

 

19/03/2009 20:17:30

 

mbam-log-2009-03-19 (20-17-25).txt

 

 

 

Type de recherche: Examen rapide

 

Eléments examinés: 67373

 

Temps écoulé: 1 minute(s), 38 second(s)

 

 

 

Processus mémoire infecté(s): 0

 

Module(s) mémoire infecté(s): 0

 

Clé(s) du Registre infectée(s): 2

 

Valeur(s) du Registre infectée(s): 1

 

Elément(s) de données du Registre infecté(s): 0

 

Dossier(s) infecté(s): 0

 

Fichier(s) infecté(s): 3

 

 

 

Processus mémoire infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Module(s) mémoire infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Clé(s) du Registre infectée(s):

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa (Rootkit.Bagle) -> No action taken.

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa (Rootkit.Bagle) -> No action taken.

 

 

 

Valeur(s) du Registre infectée(s):

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Trojan.Agent) -> No action taken.

 

 

 

Elément(s) de données du Registre infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Dossier(s) infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Fichier(s) infecté(s):

 

C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe (Trojan.Agent) -> No action taken.

 

C:\Documents and Settings\Administrator\Application Data\drivers\srosa2.sys (Rootkit.Bagle) -> No action taken.

 

C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys (Rootkit.Bagle) -> No action taken.

[Mark]

Bonjour act, et merci pour ces rapports

 

Verdict : à ma grande surprise, Bagle s'est bien installé en force sur ton XP 64 ce qui, en théorie, ne devait pas arriver. Ça ne devait pas arriver car, en théorie, un rootkit doit avoir un pilote signé numériquement afin de s'installer sur un système 64 Bits. Ce XP a été très peu distribué et je ne l'ai pas ici, donc je ne peux pas tester moi-même.

 

Que faire maintenant ? Voici ce que je propose :

 

- Fais tes sauvegardes de fichiers importants, car nous allons expérimenter et il faut se préparer au pire (formatage possible).

- Lorsque les sauvegardes seront faites, je te proposerai de tester deux outils (un à la fois bien sûr).

 

Au final, Bagle doit être enlevé car ta machine est quasi inutilisable et, de plus, elle est contrôlée à distance.

 

Qu'en penses-tu ?

 

@+

[act]

Salut Qc001,

 

Sgulp !!!!

Ok j'ai déjà commencé à faire des sauvegardes et je pense finir demain.

Comme je le disais précédemment j'ai un système linux installé sur cette machine et il fonctionne à la perfection.

J'ai été sur le disque OS windows depuis Linux avec "voir les fichiers cachés" activé et j'ai pu trouver le dossier driver dans lequel se trouve "winupgro.exe" entre autre et un dossier "downld" avec une tonne d'exécutable dedans se qui me parait louche.

En tout cas, vu que je ne peux pas démarrer en "mode sans échec" ( j'ai retenté la manip à plusieurs reprises et en fait rien à faire) je me suis dit que je pourrais peut être virer des fichiers depuis Linux sur la partition contenant Win XP64.

Qu'en penses tu ?

Sinon ok pour le test des deux outils.

Tu peux me donner la marche à suivre si il n'y a aucun espoir depuis Linux.

 

Au fait une question qui me taraude depuis quelques temps aussi j'ai Live 7.0.14 qui se bloque et je ne peux plus rien faire avec, je suis obligé de redémarrer la machine pour le réutiliser.

Penses tu que le bagle peut en être la cause ?

 

Voici un extrait du log d'erreur déjà posté dans ce fil de discution.

 

========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 07/03/2009 09:11:14 | Computer Name = USER-751A7B4E9C | Source = Application Hang | ID = 1002

Description = Application bloquée Live 7.0.14.exe, version 1.0.0.1, module bloqué

hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

 

Error - 07/03/2009 09:26:16 | Computer Name = USER-751A7B4E9C | Source = Application Hang | ID = 1002

Description = Application bloquée Live 7.0.14.exe, version 1.0.0.1, module bloqué

hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

 

Error - 07/03/2009 10:27:13 | Computer Name = USER-751A7B4E9C | Source = Application Hang | ID = 1002

Description = Application bloquée Live 7.0.14.exe, version 1.0.0.1, module bloqué

hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

 

Bonne soirée et merci beaucoup

[Mark]

Salut act

 

Merci pour le rappel (Linux), car ça pourrait être utile en effet. Il faut que je vérifie quelques trucs avant par contre. Ça te laissera le temps de terminer tes sauvegardes.

 

J'ai fait d'autres tests hier, sur machine XP virtuelle (32 bits) et je n'ai pas obtenu les résultats que je recherchais. Pas grave, je fouille toujours. Et j'attends des retours sur quelques questions

 

Pour Live : fort probable que ce soit Bagle, en effet. Il est brutal et n'aime pas qu'on touche à la connexion (sa porte dérobée en souffre...).

 

À très bientôt,