Discussion :

[ttone]

Horreur, en voulant vérifier qu'Avast ne bloquait pas une installation VS2008, j'ai eu la désagréable surprise de voir Avast éteint () et de recevoir au lancement :

avast n'est pas une aplicaiton windows 32 valide

Il s'agit probablement d'un maleware, mais comment le virer puisque je ne peux plus lancer Avast (j'ai essayé plusieurs réinstallation prorpres, sans succés)

Merci

[rlgrand]

c'est peut-etre une infection Bagle.
On va le vérifier.

Tu vas télécharger Elibagla ( en bas de la page Descargar Elibagla )
http://www.zonavirus.com/datos/desca...5/elibagla.asp

Tu vas essayer de redemarrer en mode sans echec et lancer Elibagla.
Si tu n'y arrives pas, n'insiste pas. Et dans tous les cas, n'essaie pas de le forcer en passanr par Msconfig.
Dans ce cas, tu lanceras le logciel à partir de XP.

Peux-tu poster le rapport ?

[ttone]

c'est peut-etre une infection Bagle.
On va le vérifier.

Tu vas télécharger Elibagla

Ca a l'air, j'ai déjà télécharger Elibagla, qui a refusé de se lancer en mentionnant Bagle justement

J'essaye en mod sans échec

[ttone]

écran bleu au passage mode sans échec (je suis en virtualisation VMWare)

[rlgrand]

Souvent, le bagle neutralise Elibagla.
Tu le renommes en machin.exe pour tromper le virus.

Si tu arrives à passer l'outil mais sans résultat ( access denegado ), reessair plusieurs fois. Ca marche parfois.

Sinon, on passe à un autre outil.

[rlgrand]

ttone a dit :

je suis en virtualisation VMWare

C'est ta machine virtuelle qui est infectée ?

[ttone]

Merci beaucoup,

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

C'est ta machine virtuelle qui est infectée ?

non


c'est vraiment étrange, tous les antivirus et consors sont in-lancable.
J'ai pensé au "renommer", ... mais bon


Voici mon rapport :

detectado Gusano Bagle

Wed Jun 25 23:01:41 2008
EliBagle v11.52 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 25 de Junio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
C:\DOCUMENTS AND SETTINGS\DEVELOPER\APPLICATION DATA\M\FLEC006.EXE --> Bagle Acceso Denegado.
C:\DOCUMENTS AND SETTINGS\DEVELOPER\APPLICATION DATA\M\LIST.OCT --> Eliminado Bagle

Wed Jun 25 23:02:22 2008
EliBagle v11.52 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 25 de Junio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
C:\DOCUMENTS AND SETTINGS\DEVELOPER\APPLICATION DATA\M\FLEC006.EXE --> Bagle Acceso Denegado.
Restaurada Clave: "SafeBoot\Minimal y Network"
Reinicie para Completar la Limpieza.

Wed Jun 25 23:48:33 2008
EliBagle v11.52 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 25 de Junio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
C:\DOCUMENTS AND SETTINGS\DEVELOPER\APPLICATION DATA\M\FLEC006.EXE --> Bagle Acceso Denegado.
Restaurada Clave: "SafeBoot\Minimal y Network"
Reinicie para Completar la Limpieza.

Wed Jun 25 23:53:32 2008
EliBagle v11.52 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 25 de Junio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
C:\DOCUMENTS AND SETTINGS\DEVELOPER\APPLICATION DATA\M\FLEC006.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.

Wed Jun 25 23:54:06 2008
EliBagle v11.52 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 25 de Junio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
C:\DOCUMENTS AND SETTINGS\DEVELOPER\APPLICATION DATA\M\FLEC006.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.

Wed Jun 25 23:54:12 2008
EliBagle v11.52 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 25 de Junio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
C:\DOCUMENTS AND SETTINGS\DEVELOPER\APPLICATION DATA\M\FLEC006.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.

-->écran bleu

je reboote et j'essaie en renommant :

rapport :

[rlgrand]

Bon, a priori tu ne l'auras pas avec Elibagla.

On va passer à l'artillerie lourde. A manipuler avec précaution.

Tu vas télécharger ComBoFix.

On va le passer une première fois pour rechercher les infections.
Lance Combofix.exe et suis les invites.
Une fois le scan fini, un rapport va apparaitre.
Copie/colle ce rapport dans ta prochaine réponse.
Si tu ne le trouves pas, il est à C:\ComboFix.txt

[ttone]

ComboFix n'est pas une application win32 valide

Machin n'est pas une application win32 valide

Ils sont malins ces maleware, il faut renommer avant l'écriture disque (sur mac pour moi) :

--> écran bleu

-->

[rlgrand]

renomme le en combo-fix.exe.

[ttone]

hello, alors bon WE du 14/07?
des nouvelles :
rapport Elibagla :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
  Sun Jun 29 19:46:03 2008
EliBagle v11.52  (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 25 de Junio del 2008)
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\SROSA.SYS.Muestra EliBagle v11.52
 a "virus@satinfo.es".  Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Eliminado Bagle.dldr
C:\DOCUMENTS AND SETTINGS\DEVELOPER\APPLICATION DATA\M\FLEC006.EXE --> Eliminado Bagle.dldr

rapport ComboFix :

ComboFix 08-06-20.4 - developer 2008-06-29 19:47:52.1 - NTFSx86

Endroit: C:\Documents and Settings\developer\Bureau\1.exe

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\developer\Application Data\m
C:\Documents and Settings\henry\Application Data\m
C:\Documents and Settings\henry\Application Data\m\flec006.exe
C:\Documents and Settings\henry\Application Data\m\shared
C:\Documents and Settings\henry\Application Data\m\shared\1st_Screen_Lock_7.3_Key.zip
C:\Documents and Settings\henry\Application Data\m\shared\3D_Manatees_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\3D_Mona_Lisa_Dances_to_Bolero_1.0_[KeyGen].zip
C:\Documents and Settings\henry\Application Data\m\shared\70-528_Practice_Exam_Testing_Engine_Software_1.0_(KeyGen).zip
C:\Documents and Settings\henry\Application Data\m\shared\Aimersoft_MOV_Converter_1.0.20.zip
C:\Documents and Settings\henry\Application Data\m\shared\Alive!_Jigsaw_Producer_1.6_(Key+Serial).zip
C:\Documents and Settings\henry\Application Data\m\shared\Alvas.FileControls_3.0_(Key).zip
C:\Documents and Settings\henry\Application Data\m\shared\Alventis_1.2.zip
C:\Documents and Settings\henry\Application Data\m\shared\AntiVirus_Tester_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\AnyMaxi_Text_Count_and_Invoicing_Software_4.zip
C:\Documents and Settings\henry\Application Data\m\shared\API_Monitor_1.1.1.70.zip
C:\Documents and Settings\henry\Application Data\m\shared\Aplus_DVD_to_Divx_Xvid_Ripper_4.38.zip
C:\Documents and Settings\henry\Application Data\m\shared\Audition_2000_4.3.zip
C:\Documents and Settings\henry\Application Data\m\shared\Avast.Pro.v4.7.869.German.Incl.Keymaker-CORE.zip
C:\Documents and Settings\henry\Application Data\m\shared\Basic_Electrical_Troubleshooting_2.50.zip
C:\Documents and Settings\henry\Application Data\m\shared\Battlefield_Vietnam_La_Tan_Village_map.zip
C:\Documents and Settings\henry\Application Data\m\shared\Blue_Theme_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\BlueHarvest_1.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Box_Editor_1.0_With_Crack.zip
C:\Documents and Settings\henry\Application Data\m\shared\Brainstorm_mp3_Catalog_0.5_alpha.zip
C:\Documents and Settings\henry\Application Data\m\shared\Calendar_Updates_1.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\CoderForm_3.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\CoffeeCup_Web_Video_Player_4.9.zip
C:\Documents and Settings\henry\Application Data\m\shared\Cool_Shutdown_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\CryptoHelp-bundle_6.08_(Crack).zip
C:\Documents and Settings\henry\Application Data\m\shared\CS_Emancipation_Calculator_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\CSUpload_Controls_Package_1.0_[Key+Serial].zip
C:\Documents and Settings\henry\Application Data\m\shared\Datatrieve_Online_Backup_System_1.3.zip
C:\Documents and Settings\henry\Application Data\m\shared\Deep_Thoughts_0.2.zip
C:\Documents and Settings\henry\Application Data\m\shared\DirectParallel_Connection_Game_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Drag-N-Dropper_1.0_[With_Crack].zip
C:\Documents and Settings\henry\Application Data\m\shared\DVD_iPhone_Ripper_6.5.0.2.zip
C:\Documents and Settings\henry\Application Data\m\shared\E-mail_Follow-Up_1.8_[With_Crack].zip
C:\Documents and Settings\henry\Application Data\m\shared\EasyMP3_2005_2.0.0.19.zip
C:\Documents and Settings\henry\Application Data\m\shared\Elite_Calculator_1.1_Build_1.1.0.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Elite_Utilities_9_Professional_9.2.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Elzed_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\EMMentor_Algebra_short_3.0_Crack.zip
C:\Documents and Settings\henry\Application Data\m\shared\Employee_Task_Chaser_1.3_(Patch).zip
C:\Documents and Settings\henry\Application Data\m\shared\Encryption_Workshop_3.2_Build_60220.zip
C:\Documents and Settings\henry\Application Data\m\shared\Eurora_Maker_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Ewido.Anti-Spyware.V.4.0.0.172C.-.Registration.zip
C:\Documents and Settings\henry\Application Data\m\shared\Exposure_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Filtrd_RSS_1.0.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\FLVDownload_1.0_(KeyGen).zip
C:\Documents and Settings\henry\Application Data\m\shared\Food_File_1.0.5.zip
C:\Documents and Settings\henry\Application Data\m\shared\Genie_Online_Backup_1.0_[Key+Serial].zip
C:\Documents and Settings\henry\Application Data\m\shared\Gmail_Notifier_Firefox_Add-on_0.6.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Half-Life_2_E3_2004_official_trailer.zip
C:\Documents and Settings\henry\Application Data\m\shared\Hit_The_Monkeys_fir_Pocket_PC_1.3.zip
C:\Documents and Settings\henry\Application Data\m\shared\HyperOs_OneClick_S4.54.zip
C:\Documents and Settings\henry\Application Data\m\shared\ICQ_Away_Message_Generator_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\ImTOO_PSP_Video_Converter_3.1.38.0802b_[With_Crack].zip
C:\Documents and Settings\henry\Application Data\m\shared\iPod_EBook_Maker_-_Funetica_2.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Lector_2.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Look_RS232_4.3_Patch.zip
C:\Documents and Settings\henry\Application Data\m\shared\Mass_Downloader_3.3.691_SR1_(Key).zip
C:\Documents and Settings\henry\Application Data\m\shared\Mileage_1.01.zip
C:\Documents and Settings\henry\Application Data\m\shared\Misty_and_Dancing_Balls_1.0_[Key].zip
C:\Documents and Settings\henry\Application Data\m\shared\MsgAgent_0.37b.zip
C:\Documents and Settings\henry\Application Data\m\shared\MSN_Spy_Monitor_2007_6.6.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\MyJSQLView_Beta_2.72.zip
C:\Documents and Settings\henry\Application Data\m\shared\Orbitz_Search_Widget_1.zip
C:\Documents and Settings\henry\Application Data\m\shared\ORF_Enterprise_Edition_2.0.1_With_Crack.zip
C:\Documents and Settings\henry\Application Data\m\shared\OrgPlus_Professional_7_(Cracked).zip
C:\Documents and Settings\henry\Application Data\m\shared\Oud_Tutor_1.4.zip
C:\Documents and Settings\henry\Application Data\m\shared\PageLock_Website_Copy_Protection_5.0.0.0_(With_Crack).zip
C:\Documents and Settings\henry\Application Data\m\shared\PCTV4Me_2.1.3.zip
C:\Documents and Settings\henry\Application Data\m\shared\PDF-Forms_2_(Key).zip
C:\Documents and Settings\henry\Application Data\m\shared\PgmText_2.00.zip
C:\Documents and Settings\henry\Application Data\m\shared\PhysConst_1.3.zip
C:\Documents and Settings\henry\Application Data\m\shared\Planimeter_II_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Polar_Knowledge_Base_3.0.2.0_[Key+Serial].zip
C:\Documents and Settings\henry\Application Data\m\shared\PractiCount_Toolbar_Professional_for_MS_Office_1.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Prevx1.52(2)buono.sicuro.zip
C:\Documents and Settings\henry\Application Data\m\shared\PrintJobs_5.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Program_Manager_XP_1.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\PSS_Update_Check_Control_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Pulsradio_Widget_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Query-A-Recordset_1.2.zip
C:\Documents and Settings\henry\Application Data\m\shared\Quick_start_launcher_1.0c.zip
C:\Documents and Settings\henry\Application Data\m\shared\RankRobot_1.0.5_(With_Crack).zip
C:\Documents and Settings\henry\Application Data\m\shared\Realworth_3.5.zip
C:\Documents and Settings\henry\Application Data\m\shared\Rebecca's_Colouring_Book_1.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Resource_Builder_2.6.2.0_KeyGen.zip
C:\Documents and Settings\henry\Application Data\m\shared\RICOlmer_2.5.zip
C:\Documents and Settings\henry\Application Data\m\shared\Salvo_demo.zip
C:\Documents and Settings\henry\Application Data\m\shared\ScriptCleaner_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Secure_Folder_Hider_1.zip
C:\Documents and Settings\henry\Application Data\m\shared\SecureBlackbox_(.NET)_5.1_[Key+Serial].zip
C:\Documents and Settings\henry\Application Data\m\shared\Shockwave_Player_10.1.3.018.zip
C:\Documents and Settings\henry\Application Data\m\shared\Simple_Server_Monitor_2.0.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Smart_Pc_Keylogger_3.2.zip
C:\Documents and Settings\henry\Application Data\m\shared\SmartFox_1.8.zip
C:\Documents and Settings\henry\Application Data\m\shared\Soft_Sea_Drop-Down_Menu_1.0_KeyGen.zip
C:\Documents and Settings\henry\Application Data\m\shared\Songbird_0.2.5_Developer_Preview.zip
C:\Documents and Settings\henry\Application Data\m\shared\SpellBound_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Spyware_Doctor_5.0.5.259.zip
C:\Documents and Settings\henry\Application Data\m\shared\StarSkin_2.5.2.5_[Key].zip
C:\Documents and Settings\henry\Application Data\m\shared\StrongDisk_Pro_3.6_build_508_[Cracked].zip
C:\Documents and Settings\henry\Application Data\m\shared\Sun_3D_Screensaver_1.1_(KeyGen).zip
C:\Documents and Settings\henry\Application Data\m\shared\System_Mechanic_7.1.10.7.zip
C:\Documents and Settings\henry\Application Data\m\shared\System_Spex_2007_1.0.0.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\Systemscripter_6.1.2.zip
C:\Documents and Settings\henry\Application Data\m\shared\Taggin'_MP3_1.4.zip
C:\Documents and Settings\henry\Application Data\m\shared\Talking_Translator_Pro_1.7.zip
C:\Documents and Settings\henry\Application Data\m\shared\TessEm7000_1.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\The_Art_of_Money_Getting_1.0_(Key).zip
C:\Documents and Settings\henry\Application Data\m\shared\The_Complete_Guide_to_Internet_Marketing_1.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\TheOne_Health_Checker_Pro_1.5.zip
C:\Documents and Settings\henry\Application Data\m\shared\TimeSync_2.3.0.zip
C:\Documents and Settings\henry\Application Data\m\shared\TrendCatch_AI_5.4.zip
C:\Documents and Settings\henry\Application Data\m\shared\TrustWatch_Search_for_Firefox_0.2.4.zip
C:\Documents and Settings\henry\Application Data\m\shared\TVPX_1031_Depreciation_Solution_3.0_[Serial].zip
C:\Documents and Settings\henry\Application Data\m\shared\Ultra-LightPrompter_1.3.2.44_[Patch].zip
C:\Documents and Settings\henry\Application Data\m\shared\URI_Crypter_3.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\Vevo!_CatalogMaker_1.2.zip
C:\Documents and Settings\henry\Application Data\m\shared\VisualStat_5.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\W8Soft_Ad-Spy_Remover_1.6_[Cracked].zip
C:\Documents and Settings\henry\Application Data\m\shared\Warcraft_III_-_Mathias_Chapter_19_map.zip
C:\Documents and Settings\henry\Application Data\m\shared\WinSettings_Pro_2.zip
C:\Documents and Settings\henry\Application Data\m\shared\WinSwitch_1.4.zip
C:\Documents and Settings\henry\Application Data\m\shared\WireTap_Pro_1.1.1.zip
C:\Documents and Settings\henry\Application Data\m\shared\wodAppUpdate_1.2.1.0_(Key).zip
C:\Documents and Settings\henry\Application Data\m\shared\Wondershare_Photo_Collage_Studio_1.4.5.zip
C:\Documents and Settings\henry\Application Data\m\shared\Xilisoft_DivX_to_DVD_Converter_3.0.26.0323_Patch.zip
C:\Documents and Settings\henry\Application Data\m\shared\Xml2PDF_3.0.18_[Patch].zip
C:\Documents and Settings\henry\Application Data\m\shared\ZipCodeNow_1.1_KeyGen.zip
C:\Documents and Settings\henry\Application Data\m\shared\ZooCubeZQ_1.zip
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\ssprs.dll
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\488312.exe
C:\WINDOWS\system32\drivers\downld\587843.exe
C:\WINDOWS\system32\drivers\downld\595656.exe
C:\WINDOWS\system32\drivers\downld\596875.exe
C:\WINDOWS\system32\drivers\downld\598906.exe
C:\WINDOWS\system32\drivers\downld\604250.exe
C:\WINDOWS\system32\drivers\downld\611265.exe
C:\WINDOWS\system32\drivers\downld\614546.exe
C:\WINDOWS\system32\drivers\downld\622218.exe
C:\WINDOWS\system32\drivers\downld\645343.exe
C:\WINDOWS\system32\drivers\downld\675453.exe
C:\WINDOWS\system32\drivers\downld\679531.exe
C:\WINDOWS\system32\drivers\downld\83515.exe
C:\WINDOWS\system32\drivers\downld\847296.exe
C:\WINDOWS\system32\drivers\downld\858828.exe
C:\WINDOWS\system32\drivers\downld\86015.exe
C:\WINDOWS\system32\drivers\downld\872484.exe
C:\WINDOWS\system32\drivers\downld\873656.exe
C:\WINDOWS\system32\drivers\downld\881484.exe
C:\WINDOWS\system32\drivers\downld\891812.exe
C:\WINDOWS\system32\drivers\downld\896843.exe
C:\WINDOWS\system32\drivers\downld\898750.exe
C:\WINDOWS\system32\drivers\downld\92562.exe
C:\WINDOWS\system32\drivers\downld\96609.exe
C:\WINDOWS\system32\drivers\downld\992562.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-28 to 2008-06-29 ))))))))))))))))))))))))))))))))))))
.

2008-06-29 19:59 . 2004-08-19 18:09 290,816 --a--c--- C:\WINDOWS\system32\dllcache\OLD12.tmp
2008-06-29 19:59 . 2004-08-19 17:56 281,600 --a--c--- C:\WINDOWS\system32\dllcache\OLD20.tmp
2008-06-29 19:59 . 2003-03-24 15:52 188,480 --a--c--- C:\WINDOWS\system32\dllcache\OLD24.tmp
2008-06-29 19:59 . 2002-09-06 21:59 96,768 --a--c--- C:\WINDOWS\system32\dllcache\OLD1D.tmp
2008-06-29 19:59 . 2004-08-19 17:58 77,824 --a--c--- C:\WINDOWS\system32\dllcache\OLD27.tmp
2008-06-29 19:59 . 2004-08-19 18:09 47,104 --a--c--- C:\WINDOWS\system32\dllcache\OLD2A.tmp
2008-06-29 19:59 . 2004-08-19 18:09 43,520 --a--c--- C:\WINDOWS\system32\dllcache\OLDF.tmp
2008-06-29 19:59 . 2003-03-24 15:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\OLD16.tmp
2008-06-29 19:59 . 2003-03-24 15:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\OLD1A.tmp
2008-06-29 19:58 . 2008-06-29 19:58 <REP> d-------- C:\WINDOWS\system32\drivers\downld
2008-06-29 19:58 . 2008-06-29 19:59 <REP> d-------- C:\WINDOWS\LastGood
2008-06-29 19:58 . 2003-03-24 15:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\OLD8.tmp
2008-06-29 19:58 . 2003-03-24 15:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\OLDC.tmp
2008-06-26 00:40 . 2008-06-29 19:46 <REP> d-------- C:\Muestras
2008-06-25 23:01 . 2008-06-25 23:01 <REP> d-------- C:\Program Files\Trend Micro
2008-06-25 22:44 . 2008-06-25 23:02 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 22:44 . 2008-06-25 22:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 21:51 . 2008-06-25 21:51 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-24 21:54 . 2008-06-24 23:06 <REP> d-------- C:\LibSndFile
2008-06-11 15:21 . 2008-06-11 15:21 <REP> d-------- C:\FMOD
2008-06-11 12:47 . 2008-06-05 05:02 339,968 --a------ C:\WINDOWS\system32\libfmodex.dll
2008-06-10 23:54 . 2008-06-23 00:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-10 23:54 . 2008-06-10 23:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 21:24 . 2008-06-10 21:24 <REP> d-------- C:\Documents and Settings\developer\Application Data\Apple Computer
2008-06-10 20:10 . 2008-06-05 05:02 339,968 --a------ C:\WINDOWS\system32\fmodex.dll
2008-06-10 20:10 . 2006-08-31 21:35 325,120 --a------ C:\WINDOWS\system32\libsndfile.dll
2008-06-10 13:49 . 2008-06-10 13:49 <REP> d-------- C:\Program Files\Inno Setup 5
2008-06-10 00:17 . 2008-06-25 22:34 <REP> d-------- C:\Documents and Settings\developer\Application Data\VMware
2008-06-09 23:56 . 2008-06-24 21:14 <REP> d-------- C:\Documents and Settings\developer\Application Data\Dev-Cpp
2008-06-09 23:55 . 2008-06-24 21:12 0 --a------ C:\WINDOWS\MSYS.INI
2008-06-09 23:38 . 2008-06-24 21:54 <REP> d-------- C:\Qt
2008-06-09 23:36 . 2008-06-09 23:36 <REP> d-------- C:\Program Files\MagicISO
2008-06-09 23:31 . 2008-06-11 14:46 <REP> d-------- C:\Program Files\FMOD
2008-06-09 23:22 . 2008-06-24 21:14 <REP> d-------- C:\Dev-Cpp
2008-06-09 23:18 . 2008-06-09 23:18 <REP> d-------- C:\Documents and Settings\developer\Application Data\VMNTOOLBAR
2008-06-09 23:15 . 2007-09-07 21:48 <REP> d--h----- C:\Documents and Settings\developer\Voisinage r‚seau
2008-06-09 23:15 . 2007-09-07 21:48 <REP> d--h----- C:\Documents and Settings\developer\Voisinage d'impression
2008-06-09 23:15 . 2007-09-07 19:57 <REP> d--h----- C:\Documents and Settings\developer\ModŠles
2008-06-09 23:15 . 2008-06-10 13:59 <REP> dr------- C:\Documents and Settings\developer\Mes documents
2008-06-09 23:15 . 2007-09-07 21:48 <REP> dr------- C:\Documents and Settings\developer\Menu D‚marrer
2008-06-09 23:15 . 2008-06-09 23:15 <REP> dr------- C:\Documents and Settings\developer\Favoris
2008-06-09 23:15 . 2008-06-29 19:42 <REP> d-------- C:\Documents and Settings\developer\Bureau
2008-06-09 23:15 . 2008-06-25 19:18 <REP> d-------- C:\Documents and Settings\developer

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 20:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-25 13:29 --------- d-----w C:\Program Files\Fichiers communs\Adobe
2008-06-23 20:39 --------- d-----w C:\Program Files\FriendBlasterPro
2008-06-22 22:10 --------- d-----w C:\Documents and Settings\henry\Application Data\VMware
2008-06-11 10:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-07 21:34 --------- d-----w C:\Documents and Settings\henry\Application Data\vmntoolbar
2008-05-29 17:26 --------- d-----w C:\Documents and Settings\henry\Application Data\dvdcss
2007-09-07 18:05 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2007-09-07 18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
2007-09-07 18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012007090720070908\index.dat
2007-09-07 18:05 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:09 15360]
"TransBar"="C:\WINDOWS\system32\TransBar.exe" [2006-09-15 20:47 69120]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-06-25 22:44 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-07-31 13:59 8433664]
"nwiz"="nwiz.exe" [2007-07-31 13:59 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-07-31 13:57 147456]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-07-31 13:59 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-31 13:59 16380416 C:\WINDOWS\RTHDCPL.exe]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-07-31 14:04 398640]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"VMware Tools"="C:\Program Files\VMware\VMware Tools\VMwareTray.exe" [2007-10-14 23:39 96816]
"VMware User Process"="C:\Program Files\VMware\VMware Tools\VMwareUser.exe" [2007-10-14 23:39 367152]
"LVCOMSX"="C:\Program Files\Fichiers communs\LogiShrd\LComMgr\LVComSX.exe" [2007-03-06 17:51 252704]
"SSBkgdUpdate"="C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 14:16 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 13:45 75304]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 00:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\FICHIE~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 0 (0x0)
"MaxRecentDocs"= 15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"Midi1"= myokent.dll
"Midi2"= rddv1036.dll
"midi3"= evolusbn.dll
"midi4"= rddv1036.dll
"wave8"= rddv1035.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95e44ea2-7262-11dc-b579-001d4f86af88}]
\Shell\AutoRun\command - F:\nideiect.com
\Shell\explore\Command - F:\nideiect.com
\Shell\open\Command - F:\nideiect.com

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-04-17 15:33:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 19:59:06
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\VMware\VMware Tools\vmacthlp.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-06-29 20:23:07 - machine was rebooted [developer]
ComboFix-quarantined-files.txt 2008-06-29 18:21:58

Pre-Run: 20,753,973,248 octets libres
Post-Run: 20,024,856,576 octets libres

331 --- E O F --- 2008-05-28 06:42:23

[rlgrand]

Bonjour, ttone

Le script en pièce jointe est à enregistrer sur le bureau et à glisser/déposer sur combofix.exe.

Salut