winupgro.exe installé sur ma machine

[Mark]

Bon Dimanche

 

Où en es-tu avec les sauvegardes ? Ça va ?

 

Pendant que tu finis tout ça, j'ai une autre question et je t'explique :

 

Bagle fait un truc assez astucieux : il cible un processus légitime qui se lance au démarrage et le remplace par son infecteur principal (winupgro.exe) ; ceci permet à Bagle de se réinstaller à chaque fois que le registre lance le processus. Problème : ce processus est choisi aléatoirement et le fichier porte le nom original. Lors de mes essais par exemple, j'ai vu QTTask (Quick Time), Google Updater, Messenger et d'autres qui ont été ciblés. Il faut virer ce fichier rapidement pour éviter une réinfection. Nos deux outils anti-Bagle les retrouvent et les bons antivirus aussi. Moi je vais te demander de le repérer sur ta machine et voici comment faire :

 

Je soupçonne celui-ci, dans ton cas :

 

C:\Program Files (x86)\Common Files\Acronis\Partition Suite\oss_reinstall.exe

(mais je pourrais me tromper, on verra)

 

>> Via l'Explorateur, regarde ce fichier qui pourrait avoir un icône qui ressemble à une clé (verte pâle) ou autre icône inhabituel. Si c'est le cas, regarde ses propriétés et s'il fait 844Ko, c'est winupgro.exe (renommé). Si tu l'identifies, ne regarde pas pour le fichier suivant (car il n'y en a qu'un seul).

Si ce n'est pas lui, regarde pour celui-ci :

 

C:\WINDOWS\algd.exe

 

Possible aussi que Bagle n'ait pas ciblé de processus légitime du tout, mais l'expérience nous dit que la probabilité est forte. Si tu trouves le fichier (icône de clé ou autre étrange avec poids de 844Ko), supprime-le immédiatement. Le programme qui utilisait ce fichier devra éventuellement être désinstallé puis réinstallé, mais on verra à ça plus tard.

 

Dès que les sauvegardes sont faites, on fait des essais d'outils.

 

@+

[act]

Salut Qc001,

 

Ca y est, j'ai fini les sauvegardes.

J'ai été voir le fichier C:\Program Files (x86)\Common Files\Acronis\Partition Suite\oss_reinstall.exe depuis linux et il fait 847Ko.

Je l'ai copié sur le bureau de Linux et supprimé de windows.

Je vais tester un démarrage de widows ce matin, je vais faire un compte rendu très rapidement.

Pour ce qui est du fichier C:\WINDOWS\algd.exe, je ne l'ai pas trouvé.

A +

[act]

Plus de "winupgro.exe" mais peut être qu'un nettoyage en profondeur s'avère nécessaire ?

Je n'ai pas essayé le démarrage "mode sans échec", je vais le faire plus tard.

Alors là je suis bluffé pour le "oss_reinstall.exe", apparemment c'était ça.

Mille merci Qc001, trop fort !

 

Voici le rapport de:

 

Malwarebytes' Anti-Malware 1.34

 

Version de la base de données: 1871

 

Windows 5.2.3790 Service Pack 2

 

 

 

23/03/2009 09:16:20

 

mbam-log-2009-03-23 (09-16-20).txt

 

 

 

Type de recherche: Examen rapide

 

Eléments examinés: 67353

 

Temps écoulé: 1 minute(s), 41 second(s)

 

 

 

Processus mémoire infecté(s): 0

 

Module(s) mémoire infecté(s): 0

 

Clé(s) du Registre infectée(s): 0

 

Valeur(s) du Registre infectée(s): 0

 

Elément(s) de données du Registre infecté(s): 0

 

Dossier(s) infecté(s): 0

 

Fichier(s) infecté(s): 0

 

 

 

Processus mémoire infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Module(s) mémoire infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Clé(s) du Registre infectée(s):

 

(Aucun élément nuisible détecté)

 

 

 

Valeur(s) du Registre infectée(s):

 

(Aucun élément nuisible détecté)

 

 

 

Elément(s) de données du Registre infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Dossier(s) infecté(s):

 

(Aucun élément nuisible détecté)

 

 

 

Fichier(s) infecté(s):

 

(Aucun élément nuisible détecté)

[Mark]

Bonjour act

 

Bravo ! Voilà une étape importante que tu viens de franchir, un peu inattendue mais tout à fait la bienvenue

 

Oui il reste des trucs à faire. Je n'ai que quelques minutes (pour l'instant) alors voici :

 

Tu ne pourras pas démarrer en mode Sans Échec, car Bagle a détruit les clés de registre associées ; il faut les remplacer/réparer et là je dois faire quelques recherches, pour le 64 Bits.

 

La priorité : te mettre un antivirus (compatible) et faire une analyse complète tout de suite. J'ai fouillé un peu et mon préféré, AntiVir, est compatible XP 64 mais seulement dans sa toute dernière version 9, sortie la semiane dernière et pas encore dispo en langue française. Si ça ne te gêne pas d'avoir l'interface anglo pour quelques temps, voici le lien direct :

 

http://dlce.antivir.com/package/wks_avira/...personal_en.exe

 

- Installe-le (c'est tout simple). Après l'installation, refuse l'analyse rapide puis fais un clic droit sur son icône près de l'horloge et fais la mise à jour. Ensuite, double-clique sur son icône près de l'horloge et fais une analyse complète. Un rapport apparaîtra à l'écran en fin d'analyse ; copie/colle son contenu ici. **Une version Française sera disponible d'ici un mois ou deux, selon mes sources.

 

 

 

On verra pour la suite

 

@+

[act]

Salut Qc001,

 

J'ai installé, mis à jour et fait un scan complet avec antivir (pas de problème avec la version anglaise)

Voici le rapport:

 

Avira AntiVir Personal

Report file date: Monday, March 23, 2009 20:34

 

Scanning for 1313876 virus strains and unwanted programs.

 

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP 64 Bit

Windows version : (Service Pack 2) [5.2.3790]

Boot mode : Normally booted

Username : SYSTEM

Computer name : USER-751A7B4E9C

 

Version information:

BUILD.DAT : 9.0.0.386 17962 Bytes 3/11/2009 15:55:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 11:13:26

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 09:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 10:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 09:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 11:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 19:33:26

ANTIVIR2.VDF : 7.1.2.199 1008640 Bytes 3/22/2009 19:33:49

ANTIVIR3.VDF : 7.1.2.205 37376 Bytes 3/23/2009 19:33:49

Engineversion : 8.2.0.120

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 16:36:42

AESCRIPT.DLL : 8.1.1.67 364923 Bytes 3/23/2009 19:33:54

AESCN.DLL : 8.1.1.8 127346 Bytes 3/23/2009 19:33:53

AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 17:24:41

AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 12:06:10

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/26/2009 19:01:56

AEHEUR.DLL : 8.1.0.107 1663352 Bytes 3/23/2009 19:33:53

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/26/2009 19:01:56

AEGEN.DLL : 8.1.1.30 336245 Bytes 3/23/2009 19:33:50

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 13:32:40

AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 13:22:44

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 13:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 09:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 13:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 09:32:09

AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 06:52:24

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 09:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 14:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 07:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 09:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 10:45:45

RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 14:55:12

 

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files (x86)\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, G:, H:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: on

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

 

Start of the scan: Monday, March 23, 2009 20:34

 

Initiating scan of system files:

Signed -> 'C:\WINDOWS\system32\svchost.exe'

Signed -> 'C:\WINDOWS\system32\winlogon.exe'

Signed -> 'C:\WINDOWS\explorer.exe'

Signed -> 'C:\WINDOWS\system32\smss.exe'

Signed -> 'C:\WINDOWS\system32\wininet.DLL'

Signed -> 'C:\WINDOWS\system32\wsock32.DLL'

Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'

Signed -> 'C:\WINDOWS\system32\services.exe'

Signed -> 'C:\WINDOWS\system32\lsass.exe'

Signed -> 'C:\WINDOWS\system32\csrss.exe'

Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'

Signed -> 'C:\WINDOWS\system32\spoolsv.exe'

Signed -> 'C:\WINDOWS\system32\alg.exe'

Signed -> 'C:\WINDOWS\system32\wuauclt.exe'

Signed -> 'C:\WINDOWS\system32\advapi32.DLL'

Signed -> 'C:\WINDOWS\system32\user32.DLL'

Signed -> 'C:\WINDOWS\system32\gdi32.DLL'

Signed -> 'C:\WINDOWS\system32\kernel32.DLL'

Signed -> 'C:\WINDOWS\system32\ntdll.DLL'

Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'

Signed -> 'C:\WINDOWS\system32\ctfmon.exe'

The system files were scanned ('21' files)

 

Starting search for hidden objects.

The driver could not be initialized.

 

The scan of running processes will be started

Scan process 'jucheck.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '0' Module(s) have been scanned

Scan process 'algd.exe' - '1' Module(s) have been scanned

Module is infected -> 'C:\WINDOWS\algd.exe'

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'FireBox.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '0' Module(s) have been scanned

Scan process 'rundll32.exe' - '0' Module(s) have been scanned

Scan process 'explorer.exe' - '0' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '0' Module(s) have been scanned

Scan process 'nvsvc64.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '0' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '0' Module(s) have been scanned

Scan process 'lsass.exe' - '0' Module(s) have been scanned

Scan process 'services.exe' - '0' Module(s) have been scanned

Scan process 'winlogon.exe' - '0' Module(s) have been scanned

Scan process 'csrss.exe' - '0' Module(s) have been scanned

Scan process 'smss.exe' - '0' Module(s) have been scanned

Process 'algd.exe' has been terminated

C:\WINDOWS\algd.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] TR/Dropper.Gen:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<Windows Messanger Control Center>=sz:algd.exe

[NOTE] The file was deleted!

 

12 processes with 11 modules were scanned

 

Starting master boot sector scan:

 

Start scanning boot sectors:

 

Starting to scan executable files (registry).

 

The registry was scanned ( '51' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\' <OS>

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Administrator\Application Data\drivers\downld\108546.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\111859.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\121953.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\213328.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\221218.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\230375.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\239515.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\253343.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\254453.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\255562.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\267406.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\334968.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\399781.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\418484.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\478281.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\630703.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\90062.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Application Data\drivers\downld\91937.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temp\LOOP.EXE

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\Documents and Settings\Administrator\Local Settings\Temp\tmp42753.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\Documents and Settings\Administrator\Local Settings\Temp\AVmixer Pro 1_1\j-offer-15-win.dll

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64_1[1].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64_2[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64_2[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64_6[1].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\ieps[1].jpg

[DETECTION] Is the TR/Bagle.trash Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_1[1].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_1[2].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_1[3].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_2[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_2[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_3[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_3[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_3[3].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_3[4].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\ieps[1].jpg

[DETECTION] Is the TR/Bagle.trash Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_1[1].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_2[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_3[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_6[1].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_6[2].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64_1[1].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64_3[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64_6[1].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64_6[2].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\ftpps[1].jpg

[DETECTION] Is the TR/Bagle.trash Trojan

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\mxd[1].jpg

[DETECTION] Is the TR/Bagle.trash Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036916.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036934.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036944.exe

[DETECTION] Is the TR/Dldr.Bagle.aoz Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036991.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038731.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038832.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038843.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038844.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038845.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038862.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038863.exe

[DETECTION] Is the TR/PCK.Black.A.2947 Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038878.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038879.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038883.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038884.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038888.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038890.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038895.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038904.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038916.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038943.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038951.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038957.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038965.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038967.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038973.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP139\A0039007.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP42\A0007716.exe

[DETECTION] Is the TR/Agent.2020522 Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP42\A0007942.exe

[DETECTION] Is the TR/Agent.2020522 Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP55\A0009432.exe

[DETECTION] Contains recognition pattern of the DR/BHO.kbm dropper

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009482.exe

[DETECTION] Is the TR/Dldr..Bagle.gy Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009483.exe

[DETECTION] Is the TR/Dldr..Bagle.gy Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009508.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009543.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009550.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP57\A0009591.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP58\A0009634.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP58\A0009656.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP59\A0009669.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP60\A0009686.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP60\A0009694.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009724.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009739.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009776.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009803.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009817.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP63\A0009842.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP63\A0009856.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP63\A0009885.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP63\A0009901.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\WINDOWS\LOOP.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\WINDOWS\system32\drivers\sptd.sys

[WARNING] The file could not be opened!

Begin scan in 'D:\' <DATA>

D:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP33\A0006024.exe

 

[0] Archive type: RAR SFX (self extracting)

--> file.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Bifrose.Gen back-door program

Begin scan in 'G:\' <TRAVAUX>

Begin scan in 'H:\' <STOCKAGE>

H:\cle act\NEWER\autorun.inf

[DETECTION] Contains recognition pattern of the WORM/Autorun.edc.1 worm

H:\cle act\NEWER\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

H:\cle act\OLD\autorun.inf

[DETECTION] Contains recognition pattern of the WORM/Autorun.edc.1 worm

H:\cle act\OLD\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036977.exe

[DETECTION] Is the TR/PCK.Black.A.2947 Trojan

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038933.exe

[DETECTION] Contains recognition pattern of the DR/Small.AI.1 dropper

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038934.exe

[DETECTION] Contains recognition pattern of the DR/Small.AI.1 dropper

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038941.exe

[DETECTION] Contains recognition pattern of the DR/Small.AI.1 dropper

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038942.exe

[DETECTION] Contains recognition pattern of the DR/Small.AI.1 dropper

 

Beginning disinfection:

C:\Documents and Settings\Administrator\Application Data\drivers\downld\108546.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4a0004b6.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\111859.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49f904b7.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\121953.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49f904b8.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\213328.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49fb04b7.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\221218.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '45f5f411.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\230375.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49f804b9.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\239515.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4a0104b9.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\253343.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49fb04bb.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\254453.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49fc04bc.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\255562.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49fd04bc.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\267406.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49ff04bd.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\334968.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49fc04ba.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\399781.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4a0104c0.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\418484.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4a0004b8.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\478281.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4a0004be.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\630703.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49f804ba.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\90062.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49f804b8.qua'!

C:\Documents and Settings\Administrator\Application Data\drivers\downld\91937.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '45724c5a.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temp\LOOP.EXE

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a1704d7.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temp\tmp42753.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4a3804f5.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temp\AVmixer Pro 1_1\j-offer-15-win.dll

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4a3704b5.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49fc04be.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64_1[1].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

[NOTE] The file was moved to '468a6487.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64_2[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4687839f.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64_2[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '46867be7.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\b64_6[1].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

[NOTE] The file was moved to '46808a57.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6T6PMTWJ\ieps[1].jpg

[DETECTION] Is the TR/Bagle.trash Trojan

[NOTE] The file was moved to '4a3804ed.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_1[1].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

[NOTE] The file was moved to '49fc04bf.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_1[2].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

[NOTE] The file was moved to '46857350.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_1[3].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

[NOTE] The file was moved to '467caac8.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_2[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '467db110.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_2[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '467eb958.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_3[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '467fc1a0.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_3[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4678c9e8.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_3[3].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4679d030.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\b64_3[4].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '467ad878.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MH0H4FAP\ieps[1].jpg

[DETECTION] Is the TR/Bagle.trash Trojan

[NOTE] The file was moved to '4a3804ef.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49fc04c0.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '4683a281.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_1[1].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

[NOTE] The file was moved to '4675f0d1.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_2[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '46700761.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_3[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '46710fa9.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_6[1].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

[NOTE] The file was moved to '467217f1.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MTE7Y1UN\b64_6[2].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

[NOTE] The file was moved to '46731e39.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49fc04c1.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64[2].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '466d2e4a.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64_1[1].jpg

[DETECTION] Is the TR/Proxy.Mitglieder.ggi Trojan

[NOTE] The file was moved to '466e3692.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64_3[1].jpg

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '466f3eda.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64_6[1].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

[NOTE] The file was moved to '46684522.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\b64_6[2].jpg

[DETECTION] Is the TR/Agent.5124 Trojan

[NOTE] The file was moved to '46694d6a.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\ftpps[1].jpg

[DETECTION] Is the TR/Bagle.trash Trojan

[NOTE] The file was moved to '4a3804ff.qua'!

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S12D8V8Z\mxd[1].jpg

[DETECTION] Is the TR/Bagle.trash Trojan

[NOTE] The file was moved to '4a2c0503.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036916.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '49f804c4.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036934.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '591d0e65.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036944.exe

[DETECTION] Is the TR/Dldr.Bagle.aoz Trojan

[NOTE] The file was moved to '591e16ad.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036991.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '591f1ef5.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038731.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '465aaa15.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038832.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '59112d05.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038843.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '5912354d.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038844.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '59133d95.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038845.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '49f804c5.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038862.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '59154c26.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038863.exe

[DETECTION] Is the TR/PCK.Black.A.2947 Trojan

[NOTE] The file was moved to '5916546e.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038878.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '59175cb6.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038879.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

[NOTE] The file was moved to '590864fe.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038883.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '59096cc6.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038884.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '590a6b0e.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038888.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

[NOTE] The file was moved to '590b7356.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038890.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '590c7b9e.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038895.exe

[DETECTION] Is the TR/Bagle.Gen.B Trojan

[NOTE] The file was moved to '590d83e6.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038904.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

[NOTE] The file was moved to '590e8a2e.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038916.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '49f804c6.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038943.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

[NOTE] The file was moved to '59009abf.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038951.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

[NOTE] The file was moved to '5901a287.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038957.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

[NOTE] The file was moved to '5902aacf.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038965.exe

[DETECTION] Is the TR/Dldr.Bagle.apa Trojan

[NOTE] The file was moved to '5903b117.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038967.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '5904b95f.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038973.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '5905c1a7.qua'!

C:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP139\A0039007.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '5906c9ef.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP42\A0007716.exe

[DETECTION] Is the TR/Agent.2020522 Trojan

[NOTE] The file was moved to '5907d037.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP42\A0007942.exe

[DETECTION] Is the TR/Agent.2020522 Trojan

[NOTE] The file was moved to '5910253f.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP55\A0009432.exe

[DETECTION] Contains recognition pattern of the DR/BHO.kbm dropper

[NOTE] The file was moved to '58f8d87f.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009482.exe

[DETECTION] Is the TR/Dldr..Bagle.gy Trojan

[NOTE] The file was moved to '58fae88f.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009483.exe

[DETECTION] Is the TR/Dldr..Bagle.gy Trojan

[NOTE] The file was moved to '58fbf1b7.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009508.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58fcf9ff.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009543.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58fe01c7.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP56\A0009550.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58ff080f.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP57\A0009591.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58f01057.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP58\A0009634.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58f1189f.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP58\A0009656.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58f220e7.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP59\A0009669.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58f32f2f.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP60\A0009686.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58f43777.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP60\A0009694.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '49f804c7.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009724.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58f64788.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009739.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58f74fc0.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009776.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58e85618.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009803.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58e95e50.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP61\A0009817.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58ea66a8.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP63\A0009842.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58eb6ee0.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP63\A0009856.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58ec7538.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP63\A0009885.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58ed7d70.qua'!

C:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP63\A0009901.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '58ee8548.qua'!

C:\WINDOWS\LOOP.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4a1704e6.qua'!

D:\System Volume Information\_restore{5CB9CCEC-9E0F-46F1-8CD8-87DDA9CD817E}\RP33\A0006024.exe

[NOTE] The file was moved to '58e19c10.qua'!

H:\cle act\NEWER\autorun.inf

[DETECTION] Contains recognition pattern of the WORM/Autorun.edc.1 worm

[NOTE] The file was moved to '4a3c0538.qua'!

H:\cle act\NEWER\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '5b6370d1.qua'!

H:\cle act\OLD\autorun.inf

[DETECTION] Contains recognition pattern of the WORM/Autorun.edc.1 worm

[NOTE] The file was moved to '58d52cf9.qua'!

H:\cle act\OLD\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '58ce6af1.qua'!

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP137\A0036977.exe

[DETECTION] Is the TR/PCK.Black.A.2947 Trojan

[NOTE] The file was moved to '5abb2bcf.qua'!

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038933.exe

[DETECTION] Contains recognition pattern of the DR/Small.AI.1 dropper

[NOTE] The file was moved to '5abd439f.qua'!

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038934.exe

[DETECTION] Contains recognition pattern of the DR/Small.AI.1 dropper

[NOTE] The file was moved to '5af7a29f.qua'!

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038941.exe

[DETECTION] Contains recognition pattern of the DR/Small.AI.1 dropper

[NOTE] The file was moved to '5ab91b5f.qua'!

H:\System Volume Information\_restore{23EF1CFA-5F19-40EF-9768-7D4E1D8A5B65}\RP138\A0038942.exe

[DETECTION] Contains recognition pattern of the DR/Small.AI.1 dropper

[NOTE] The file was moved to '5aba2387.qua'!

 

 

End of the scan: Monday, March 23, 2009 22:53

Used time: 2:00:39 Hour(s)

 

The scan has been done completely.

 

29385 Scanned directories

1034732 Files were scanned

115 Viruses and/or unwanted programs were found

6 Files were classified as suspicious

1 files were deleted

0 Viruses and unwanted programs were repaired

113 Files were moved to quarantine

0 Files were renamed

2 Files cannot be scanned

1034411 Files not concerned

32513 Archives were scanned

3 Warnings

[Mark]

Bonjour act

 

Quel beau travail ! (AntiVir et toi )

 

C:\WINDOWS\algd.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] TR/Dropper.Gen:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<Windows Messanger Control Center>=sz:algd.exe

[NOTE] The file was deleted!

Ah il était bien là le coquin ; une porte dérobée, mais pas Bagle.

 

AntiVir semble avoir tout nettoyé, y compris le lecteur H: (clé). C'est excellent car Bagle se propage via lecteurs amovibles. Maintenant qu'AntiVir est bien installé et te protège, je te conseille très fortement de le conserver car, de toute évidence, la machine est à risque. Je dois te dire aussi qu'il existe des infections pires que Bagle qui circulent dans le monde des cracks actuellement, où un formatage est la seule solution. De plus, XP 64 est spécial (ça tu le sais) donc la majorité de nos outils habituels ne tournent pas, jusqu'à preuve du contraire.

 

============

 

Pour le mode Sans Échec maintenant : je n'ai pu trouver les clés propres à XP 64, mais je vais supposer qu'elles sont similaires à celles de XP 32 Bits. Je vais te les mettre et, au pire, ça ne fonctionnera pas, sans dégâts additionnels (et je poursuivrai les recherches, le cas échéant). Tu n'as qu'à télécharger le fichier du lien suivant et sauvegarde-le sur ton Bureau (sous Windows) :

http://senduit.com/7a3783

 

>> Lance-le par double clic, accepte son exécution puis accepte la fusion avec le registre. Redémarre en tapotant la touche F8 pour essayer le mode Sans Échec à nouveau. Dis-moi si ça fonctionne

 

Ensuite, lance Malwarebytes' Anti-Malware et choisis l'onglet Mise à jour ; fais la mise à jour puis relance une analyse rapide, juste pour voir si tout a été nettoyé. Pas nécessaire de poster le rapport si rien n'est détecté.

 

Selon les trouvailles, il faudra ensuite réparer le Centre de Sécurité de Windows (désactivé par Bagle). Si tu utilises ou penses utiliser un jour une connexion Wi-Fi avec cette machine-là, fais-moi signe car Bagle désactive ça aussi.

 

À bientôt pour la suite,

[act]

Tout d'abord, merci encore une fois pour ton aide et ta patience.

Pas de démarrage en "mode sans échec" et passage de Malwarebytes' Anti-Malware avec mise à jour et aucunes détection.

Que faire ?

Il faut que je test Live maintenant, je vais certainement bosser avec ce week end.

A +

[Mark]

Salut

 

Bon ben je vais fouiller pour les clés SafeBoot ; ça peut prendre un certain temps par contre. Je te tiens au jus.

 

Pour Live : bah je suis bête, moi qui croyais que tu parlais de Windows Live (Messenger), mais toi c'est un séquenceur. J'espère qu'il fonctionnera à nouveau. Pour ce qui est d'Acronis, tu devras très probablement le réinstaller car Bagle lui a bouffé son exécutable ; à moins que tu puisses trouver le fichier sur une autre bécane.

 

L'infection semble complètement morte à présent. Excellent.

 

Dis-moi comment ça se passe avec Live et n'hésite pas à signaler tout autre dysfonctionnement. Moi je poursuis les recherches

 

@+

[ipl_001]

Bonsoir act, Qc001,

 

@ Act. J'interviens exceptionnellement pour te confirmer qu'on part à la recherche d'informations sur la clé de registre Safeboot de ton système. XP 64 SP2 étant rarement installé, nous avons du mal à trouver mais nous allons essayer de nous faire aider par les équipes de Microsoft (ce qui n'est pas évident non plus car ce système n'est plus dispo).

 

Ton infection est très intéressante et importante... félicitations à tous les 2 pour vos résultats !

 

@ bientôt.

[act]

Salut Qc001 et pl_001

 

Merci, merci et encore merci !!!!!!!!!

Je vais vous paraître un peu nul mais le safe boot permet de démarrer windows sans charger les drivers c'est ça ?

Ciao et bonne journée.