TR/Crypt.XPACK.Gen et pas de scan possible

vazouk Messages postés 3 Statut Membre -  
jlpjlp Messages postés 52399 Statut Contributeur sécurité -
Bonjour,

N'étant pas un exemple de surfeur prudent, j'ai pendant tout un temps surfé sans antivirus :(
Mais avec la nouvelle année j'ai pris la résolution d'y remédier et j'ai donc installé avast.
Mon premier scan avast m'a signalé quelques Trojan, mais s'est bloqué sur une alerte: win 32: rootkit-gen.
Je me suis renseigné sur différents forums et comme conseillé j'ai désinstallé avast pour avira antivir.
Et la que fut ma surprise de constater que ce n'était plus l'avis d'infection Rootkit qui apparaissait mais :TR/Crypt.XPACK.Gen , et que le problème restait le même: impossibilité de le mettre en quarantaine, ignorer ou quoi que ce soit, il réapparaissait quelques secondes plus tard à un autre emplacement et le scan antivir n'avancait toujours pas. Visiblement il s'agit d'un virus très malveillant qui échappe aux antivirus, donc j'ai téléchargé hijackthis et voici le résultat du log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:53, on 31/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\fichiers communs\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\Laurent\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\expiorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://fr.rd.yahoo.com/customize/ycomp/defaults/sp/*https://fr.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://fr.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ycomp/defaults/su/*https://fr.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://fr.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LR2R] C:\PROGRA~1\Softario\Typus\Lr2rE.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\fichiers communs\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 9602 bytes

je ne peux malheureusement pas ajouter de résultat de scan avira ou avast, vu qu'ils ne parviennent pas au bout, étant bloqués par l'apparition de l'alerte de cette crasse...

j'espère que vous trovuerez quand meme une solution pour me tirer d'affaire, et vous souhaite une bonne année!
Configuration: Windows XP
Firefox 3.0.5

4 réponses

  1. jlpjlp Messages postés 52399 Statut Contributeur sécurité 5 041
     
    slt effectivement tu n'as pas été prudent

    pour occuper ta soirée :)

    analyse ce fichier sur virus total et colle le rapport https://www.virustotal.com/gui/

    C:\WINDOWS\expiorer.exe

    __________________

    si tu as branché un disque externe (clé...) sur un autre ordi il est aussi touché donc il faudra aussi lui passer usbfix

    Telecharge UsbFix sur ton bureau
    http://sd-1.archive-host.com/membres/up/116615172019703188/U­sbFix.exe

    --> Lance l installation avec les parametres par default

    Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) suceptible d avoir été infectés sans les ouvrir

    --> Double clic sur le raccourci UsbFix sur ton bureau

    --> Le pc va redémarer

    -->Apres redémarrage post le rapport UsbFix.txt

    Note : le rapport UsbFix.txt est sauvegardé a la racine du disque
    Note : Si le Bureau ne réapparait pas presse Ctrl + Alt + Suppr , Onglet "Fichier" , "Nouvelle tâche" , tapes explorer.exe et valides

    ______________________

    Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
    Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
    • Redémarre ton ordinateur
    • Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
    • A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
    • Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
    • Choisis ton compte.
    Déroule la liste des instructions ci-dessous :
    • Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
    • Appuie sur Y pour commencer le processus de nettoyage.
    • Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
    • Appuie sur une touche pour redémarrer le PC.
    • Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
    • Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
    • Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
    • Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
    • Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum

    ____________________

    puis tente de refaire antivir et colle le rapport ou colle le rapport d'un scan en ligne

    bitdefender en ligne :
    http://www.bitdefender.fr/scan_fr/scan8/ie.html

    Panda en ligne :
    http://pandasoftware.fr
    0
  2. vazouk Messages postés 3 Statut Membre
     
    voici deja les premiers rapports;

    rapport virustotal:

    Antivirus Version Dernière mise à jour Résultat
    a-squared 4.0.0.73 2008.12.31 -
    AhnLab-V3 2008.12.31.0 2008.12.31 -
    AntiVir 7.9.0.45 2008.12.31 -
    Authentium 5.1.0.4 2008.12.31 -
    Avast 4.8.1281.0 2008.12.31 -
    AVG 8.0.0.199 2008.12.31 -
    BitDefender 7.2 2008.12.31 -
    CAT-QuickHeal 10.00 2008.12.31 -
    ClamAV 0.94.1 2008.12.31 -
    Comodo 851 2008.12.31 -
    DrWeb 4.44.0.09170 2008.12.31 -
    eSafe 7.0.17.0 2008.12.30 -
    eTrust-Vet 31.6.6284 2008.12.31 -
    Ewido 4.0 2008.12.31 -
    F-Prot 4.4.4.56 2008.12.30 -
    F-Secure 8.0.14470.0 2008.12.31 -
    Fortinet 3.117.0.0 2008.12.31 -
    GData 19 2008.12.31 -
    Ikarus T3.1.1.45.0 2008.12.31 -
    K7AntiVirus 7.10.572 2008.12.31 -
    Kaspersky 7.0.0.125 2008.12.31 -
    McAfee 5479 2008.12.30 -
    McAfee+Artemis 5479 2008.12.30 -
    Microsoft 1.4205 2008.12.31 -
    NOD32 3725 2008.12.31 -
    Panda 9.0.0.4 2008.12.31 -
    PCTools 4.4.2.0 2008.12.31 -
    Prevx1 V2 2008.12.31 -
    Rising 21.10.22.00 2008.12.31 -
    SecureWeb-Gateway 6.7.6 2008.12.31 -
    Sophos 4.37.0 2008.12.31 -
    Sunbelt 3.2.1809.2 2008.12.22 -
    Symantec 10 2008.12.31 -
    TheHacker 6.3.1.4.202 2008.12.30 -
    TrendMicro 8.700.0.1004 2008.12.31 -
    ViRobot 2008.12.30.1540 2008.12.31 -
    VirusBuster 4.5.11.0 2008.12.31 -
    Information additionnelle
    File size: 70656 bytes
    MD5...: 16f769bc1d37cc14e3093b9881cf1691
    SHA1..: 46ec3a7e4ee9bfff767f60a1b60296bab991dd3b
    SHA256: 8a178830af4b295cf15931a67a16a78f6cf46703a36a81b1a0589b0939ad007b
    SHA512: e6434ac13391ca33e0facb4ed7d608b58c2c7db2de0055cc52fc1fb66b34b318
    4a65038741d183bb0ba1a8af704841e3fe5a071616f3011e8f08b403f19b09be
    ssdeep: 1536:DnwOnbNQKLjWDyy1o5Re0TJUEbooPRrKKRbBw7:DVNQKPWDyDRe0TJltZrp
    RbB6
    PEiD..: -
    TrID..: File type identification
    Win32 Executable MS Visual C++ (generic) (53.1%)
    Windows Screen Saver (18.4%)
    Win32 Executable Generic (12.0%)
    Win32 Dynamic Link Library (generic) (10.6%)
    Generic Win/DOS Executable (2.8%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x100739d
    timedatestamp.....: 0x41107cc3 (Wed Aug 04 06:05:55 2004)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x7748 0x7800 6.28 f0b407bc8332017b79dd7dd8cdc2a0b7
    .data 0x9000 0x1ba8 0x800 1.15 3fd82fcc3cf0c0692e0e466248ee3fbf
    .rsrc 0xb000 0x8e24 0x9000 5.46 d09295ab175b0ed06a205fc5ebc3275d

    ( 9 imports )
    > comdlg32.dll: PageSetupDlgW, FindTextW, PrintDlgExW, ChooseFontW, GetFileTitleW, GetOpenFileNameW, ReplaceTextW, CommDlgExtendedError, GetSaveFileNameW
    > SHELL32.dll: DragFinish, DragQueryFileW, DragAcceptFiles, ShellAboutW
    > WINSPOOL.DRV: GetPrinterDriverW, ClosePrinter, OpenPrinterW
    > COMCTL32.dll: CreateStatusWindowW
    > msvcrt.dll: _XcptFilter, _exit, _c_exit, time, localtime, _cexit, iswctype, _except_handler3, _wtol, wcsncmp, _snwprintf, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, wcsncpy
    > ADVAPI32.dll: RegQueryValueExW, RegCloseKey, RegCreateKeyW, IsTextUnicode, RegQueryValueExA, RegOpenKeyExA, RegSetValueExW
    > KERNEL32.dll: GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetLocalTime, GetUserDefaultLCID, GetDateFormatW, GetTimeFormatW, GlobalLock, GlobalUnlock, GetFileInformationByHandle, CreateFileMappingW, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, LoadLibraryA, GetModuleHandleA, GetStartupInfoA, GlobalFree, GetLocaleInfoW, LocalFree, LocalAlloc, lstrlenW, LocalUnlock, CompareStringW, LocalLock, FoldStringW, CloseHandle, lstrcpyW, ReadFile, CreateFileW, lstrcmpiW, GetCurrentProcessId, GetProcAddress, GetCommandLineW, lstrcatW, FindClose, FindFirstFileW, GetFileAttributesW, lstrcmpW, MulDiv, lstrcpynW, LocalSize, GetLastError, WriteFile, SetLastError, WideCharToMultiByte, LocalReAlloc, FormatMessageW, GetUserDefaultUILanguage, SetEndOfFile, DeleteFileW, GetACP, UnmapViewOfFile, MultiByteToWideChar, MapViewOfFile, UnhandledExceptionFilter
    > GDI32.dll: EndPage, AbortDoc, EndDoc, DeleteDC, StartPage, GetTextExtentPoint32W, CreateDCW, SetAbortProc, GetTextFaceW, TextOutW, StartDocW, EnumFontsW, GetStockObject, GetObjectW, GetDeviceCaps, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SetBkMode, LPtoDP, SetWindowExtEx, SetViewportExtEx, SetMapMode, SelectObject
    > USER32.dll: GetClientRect, SetCursor, ReleaseDC, GetDC, DialogBoxParamW, SetActiveWindow, GetKeyboardLayout, DefWindowProcW, DestroyWindow, MessageBeep, ShowWindow, GetForegroundWindow, IsIconic, GetWindowPlacement, CharUpperW, LoadStringW, LoadAcceleratorsW, GetSystemMenu, RegisterClassExW, LoadImageW, LoadCursorW, SetWindowPlacement, CreateWindowExW, GetDesktopWindow, GetFocus, LoadIconW, SetWindowTextW, PostQuitMessage, RegisterWindowMessageW, UpdateWindow, SetScrollPos, CharLowerW, PeekMessageW, EnableWindow, DrawTextExW, CreateDialogParamW, GetWindowTextW, GetSystemMetrics, MoveWindow, InvalidateRect, WinHelpW, GetDlgCtrlID, ChildWindowFromPoint, ScreenToClient, GetCursorPos, SendDlgItemMessageW, SendMessageW, CharNextW, CheckMenuItem, CloseClipboard, IsClipboardFormatAvailable, OpenClipboard, GetMenuState, EnableMenuItem, GetSubMenu, GetMenu, MessageBoxW, SetWindowLongW, GetWindowLongW, GetDlgItem, SetFocus, SetDlgItemTextW, wsprintfW, GetDlgItemTextW, EndDialog, GetParent, UnhookWinEvent, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, IsDialogMessageW, PostMessageW, GetMessageW, SetWinEventHook

    ( 0 exports )
    ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=16f769bc1d37cc14e3093b9881cf1691' target='_blank'>https://www.symantec.com?md5=16f769bc1d37cc14e3093b9881cf1691</a>

    rapport usbfix:

    -------------- UsbFix V2.413.8 ---------------

    * User : Laurent - ACER-1F614B65C2
    * Outils mis a jours le 27/12/2008 par Chiquitine29 et Chimay8
    * Recherche effectuée à 17:13:33 le mer. 31/12/2008
    * Windows Xp - Internet Explorer 6.0.2900.2180

    --------------- [ Processus actifs ] ----------------

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    c:\program files\fichiers communs\logitech\lvmvfm\LVPrcSrv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\expiorer.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Acer\Empowering Technology\admServ.exe

    --------------- [ Informations lecteurs ] ----------------

    C: - Lecteur fixe

    D: - Lecteur fixe

    G: - Lecteur fixe

    +- Contenu de l'autorun : C:\autorun.inf

    ;3jwca13KKa3dqr08Ap7sso4c5lksisDse27fJ4sdrKL4od4dww05fDaw1Zl0408laK0J9qlK7qF2rA7kp3k1LlL4
    [AutoRun]
    ;30ilA42ko6psiAw1KefrkakXDweAi2qdSi3jlKLdlFK8SlsId0wlsfrK04L3s43qski23a8ZJ42krka7a934qsk8S7qUak3j4wKqkJ0O
    open=e8kj.exe
    ;4ZqL3Dkwp1a2allfwKsJmDAKDws42o5w3qoea3AKs8aO1k7s39opkiKlw7aH12w2alo0DwqD05osjipLLLkjaiqKK48lCS0iqaAKkwfdK4ikAd1d2s
    shell\open\Command=e8kj.exe
    ;rD0eskKdiw0a9aiwLdA2XlaA4dkp92Dm7Dkja84DdsiDK2ir4oa3Zjkj31wwoikfc
    shell\open\Default=1
    ;ofais8SOsqAa4qwae3di2da3offZr2s1lDiLXd3q
    shell\explore\Command=e8kj.exe
    ;lk8o4l3iKaAJiiaJswal0Flosw3Dwrweo3d2

    +- Contenu de l'autorun : D:\autorun.inf

    ;3jwca13KKa3dqr08Ap7sso4c5lksisDse27fJ4sdrKL4od4dww05fDaw1Zl0408laK0J9qlK7qF2rA7kp3k1LlL4
    [AutoRun]
    ;30ilA42ko6psiAw1KefrkakXDweAi2qdSi3jlKLdlFK8SlsId0wlsfrK04L3s43qski23a8ZJ42krka7a934qsk8S7qUak3j4wKqkJ0O
    open=e8kj.exe
    ;4ZqL3Dkwp1a2allfwKsJmDAKDws42o5w3qoea3AKs8aO1k7s39opkiKlw7aH12w2alo0DwqD05osjipLLLkjaiqKK48lCS0iqaAKkwfdK4ikAd1d2s
    shell\open\Command=e8kj.exe
    ;rD0eskKdiw0a9aiwLdA2XlaA4dkp92Dm7Dkja84DdsiDK2ir4oa3Zjkj31wwoikfc
    shell\open\Default=1
    ;ofais8SOsqAa4qwae3di2da3offZr2s1lDiLXd3q
    shell\explore\Command=e8kj.exe
    ;lk8o4l3iKaAJiiaJswal0Flosw3Dwrweo3d2

    +- Contenu de l'autorun : G:\autorun.inf

    ;3jwca13KKa3dqr08Ap7sso4c5lksisDse27fJ4sdrKL4od4dww05fDaw1Zl0408laK0J9qlK7qF2rA7kp3k1LlL4
    [AutoRun]
    ;30ilA42ko6psiAw1KefrkakXDweAi2qdSi3jlKLdlFK8SlsId0wlsfrK04L3s43qski23a8ZJ42krka7a934qsk8S7qUak3j4wKqkJ0O
    open=e8kj.exe
    ;4ZqL3Dkwp1a2allfwKsJmDAKDws42o5w3qoea3AKs8aO1k7s39opkiKlw7aH12w2alo0DwqD05osjipLLLkjaiqKK48lCS0iqaAKkwfdK4ikAd1d2s
    shell\open\Command=e8kj.exe
    ;rD0eskKdiw0a9aiwLdA2XlaA4dkp92Dm7Dkja84DdsiDK2ir4oa3Zjkj31wwoikfc
    shell\open\Default=1
    ;ofais8SOsqAa4qwae3di2da3offZr2s1lDiLXd3q
    shell\explore\Command=e8kj.exe
    ;lk8o4l3iKaAJiiaJswal0Flosw3Dwrweo3d2

    --------------- [ Lecteur C ] ----------------

    C: - Lecteur fixe

    +- Listing des fichiers présents :

    [19/08/2006 04:32][--a------] C:\AUTOEXEC.BAT
    [19/08/2006 04:32][--a------] C:\xrdygg.bat
    [08/09/2008 09:53][-r-hs----] C:\jdhc2x2.com
    [08/09/2008 09:53][-r-hs----] C:\NTDETECT.COM
    [08/09/2008 09:53][-r-hs----] C:\x0.com
    [17/07/2006 06:04][-rahs----] C:\boot.ini
    [31/12/2008 17:09][-r-hs----] C:\autorun.inf
    [31/12/2008 17:14][--a------] C:\UsbFix.txt
    [19/08/2006 03:44][--a------] C:\CONFIG.SYS
    [19/08/2006 03:44][--a------] C:\hiberfil.sys
    [19/08/2006 03:44][--a------] C:\IO.SYS
    [19/08/2006 03:44][--a------] C:\MSDOS.SYS
    [19/08/2006 03:44][--a------] C:\pagefile.sys

    --------------- [ Lecteur D ] ----------------

    D: - Lecteur fixe

    +- Listing des fichiers présents :

    [11/12/2008 18:13][-r-hs----] D:\xrdygg.bat
    [09/12/2008 12:43][-r-hs----] D:\x0.com
    [09/12/2008 12:43][-r-hs----] D:\3.com
    [09/12/2008 12:43][-r-hs----] D:\jdhc2x2.com
    [19/12/2008 09:02][-r-hs----] D:\2w.cmd
    [31/12/2008 17:09][-r-hs----] D:\autorun.inf

    --------------- [ Lecteur G ] ----------------

    G: - Lecteur fixe

    +- Listing des fichiers présents :

    [11/12/2008 18:13][-r-hs----] G:\xrdygg.bat
    [09/12/2008 12:43][-r-hs----] G:\x0.com
    [11/12/2008 20:02][-rahs----] G:\MS32DLL.dll.vbs
    [19/12/2008 09:02][-r-hs----] G:\2w.cmd
    [11/12/2008 20:02][-rahs----] G:\MS32DLL.dll.vbs
    [31/12/2008 17:09][-r-hs----] G:\autorun.inf

    --------------- [ Registre / Startup ] ----------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Search Page"="http://fr.rd.yahoo.com/customize/ycomp/defaults/sp/*https://fr.yahoo.com/"
    "Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    CTFMON.EXE=C:\WINDOWS\system32\ctfmon.exe
    LR2R=C:\PROGRA~1\Softario\Typus\Lr2rE.exe
    Skype="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    igfxtray=C:\WINDOWS\system32\igfxtray.exe
    igfxhkcmd=C:\WINDOWS\system32\hkcmd.exe
    igfxpers=C:\WINDOWS\system32\igfxpers.exe
    ehTray=C:\WINDOWS\ehome\ehtray.exe
    LaunchApp=Alaunch
    SkyTel=SkyTel.EXE
    AzMixerSel=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
    SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    ADMTray.exe="C:\Acer\Empowering Technology\admtray.exe"
    eDataSecurity Loader=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    BluetoothAuthenticationAgent=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    IMJPMIG8.1="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    MSPY2002=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    PHIME2002ASync=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    PHIME2002A=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    ePower_DMC=C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    Acer ePower Management=C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
    LManager=C:\PROGRA~1\LAUNCH~1\LManager.exe
    eRecoveryService=C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    LVCOMSX=C:\WINDOWS\system32\LVCOMSX.EXE
    LogitechCameraAssistant=C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
    LogitechVideo[inspector]=C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
    LogitechCameraService(E)=C:\WINDOWS\system32\ElkCtrl.exe /automation
    KernelFaultCheck=%systemroot%\system32\dumprep 0 -k
    SunJavaUpdateSched="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    QuickTime Task="C:\Program Files\QuickTime\QTTask.exe" -atboottime
    iTunesHelper="C:\Program Files\iTunes\iTunesHelper.exe"
    AppleSyncNotifier=C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    RTHDCPL=RTHDCPL.EXE
    Alcmtr=ALCMTR.EXE
    avgnt="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
    <NO NAME>=
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
    <NO NAME>=
    Installed=1
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
    <NO NAME>=
    Installed=1
    NoChange=1
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
    <NO NAME>=
    Installed=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

    --------------- [ Registre / Mountpoint2 ] ----------------

    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command
    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\explore\Command
    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\open\Command
    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c0a884a-9604-11dd-8779-0018de255a22}\Shell\AutoRun\command
    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3abffd03-af2e-11dd-877f-0016d462d3f3}\Shell\AutoRun\command
    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4ebec042-1608-11dd-8768-0016d462d3f3}\Shell\AutoRun\command
    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eda6f2c-c43e-11dd-8782-0016d462d3f3}\Shell\AutoRun\command
    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9e60d94-d7db-11dc-8759-0016d462d3f3}\Shell\AutoRun\command
    Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9e60d94-d7db-11dc-8759-0016d462d3f3}\Shell\open\Command

    --------------- [ Nettoyage des disques ] ----------------

    Supprimé ! - [09/12/2008 12:43][-r-hs----] C:\WINDOWS\system32\amvo0.dll
    Supprimé ! - [30/12/2008 18:08][---------] C:\WINDOWS\system32\kav321.dll
    Supprimé ! - [31/12/2008 15:18][-r-hs----] C:\WINDOWS\system32\vamsoft.exe
    Supprimé ! - [31/12/2008 15:18][---------] C:\WINDOWS\system32\vbsdfe0.dll
    C:\autorun.inf ~> fichier appelé : "C:\e8kj.exe" ( absent ! )
    D:\autorun.inf ~> fichier appelé : "D:\e8kj.exe" ( absent ! )
    G:\autorun.inf ~> fichier appelé : "G:\e8kj.exe" ( absent ! )
    Supprimé ! - [31/12/2008 17:09][-r-hs----] C:\autorun.inf
    Supprimé ! - [08/09/2008 09:53][-r-hs----] C:\jdhc2x2.com
    Supprimé ! - [09/12/2008 12:43][-r-hs----] C:\x0.com
    Supprimé ! - [11/12/2008 18:13][-r-hs----] C:\xrdygg.bat
    Supprimé ! - [31/12/2008 17:09][-r-hs----] D:\autorun.inf
    Supprimé ! - [19/12/2008 09:02][-r-hs----] D:\2w.cmd
    Supprimé ! - [08/09/2008 09:53][-r-hs----] D:\jdhc2x2.com
    Supprimé ! - [09/12/2008 12:43][-r-hs----] D:\x0.com
    Supprimé ! - [11/12/2008 18:13][-r-hs----] D:\xrdygg.bat
    Supprimé ! - [13/12/2008 17:29][-r-hs----] D:\3.com
    Supprimé ! - [31/12/2008 17:09][-r-hs----] G:\autorun.inf
    Supprimé ! - [19/12/2008 09:02][-r-hs----] G:\2w.cmd
    Supprimé ! - [11/12/2008 20:02][-rahs----] G:\MS32DLL.dll.vbs
    Supprimé ! - [09/12/2008 12:43][-r-hs----] G:\x0.com
    Supprimé ! - [11/12/2008 18:13][-r-hs----] G:\xrdygg.bat

    --------------- [ Resumé ] ----------------

    -> /!\ Le resultat doit etre interprété par un spécialiste /!\

    [19/08/2006 04:32][--a------] C:\AUTOEXEC.BAT
    [10/08/2004 19:00][-rahs----] C:\NTDETECT.COM
    [17/07/2006 06:04][-rahs----] C:\boot.ini

    --------------- ! Fin du rapport ! ----------------

    rapport sdfix;

    [b]SDFix: Version 1.240 /b
    Run by Laurent on mer. 31/12/2008 at 17:52

    Microsoft Windows XP [version 5.1.2600]
    Running From: C:\SDFix

    [b]Checking Services /b:

    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting

    [b]Checking Files /b:

    Trojan Files Found:

    C:\Documents and Settings\Laurent\Local Settings\Temp\aax12B.tmp.exe - Deleted
    C:\Documents and Settings\Laurent\Local Settings\Temp\aax66.tmp.exe - Deleted
    C:\WINDOWS\expIorer.exe - Deleted

    Removing Temp Files

    [b]ADS Check /b:

    [b]Final Check /b:

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-31 18:05:12
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0014a4fde349]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0014a4fde349]

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
    "TracesProcessed"=dword:00000164

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    [b]Remaining Services /b:

    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

    [b]Remaining Files /b:

    File Backups: - C:\SDFix\backups\backups.zip

    [b]Files with Hidden Attributes /b:

    Sat 19 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
    Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
    Sat 19 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
    Sat 19 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIMP3.dll"
    Sat 19 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
    Fri 30 Aug 2002 114,688 A.SHR --- "C:\WINDOWS\system32\one2disp.dll"
    Sat 29 Nov 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

    [b]Finished!/b

    voila déjà ca, c'est du chinois pour moi, mais je suppose que ca veut dire quelque chose :)
    je pars faire la fête donc pour le scan avira, je ne l'aurai que demain :)

    mais en tout cas j'ai du désactiver avira guard car il me mettait une alerte pour le meme trojan tout les 10 secondes, comme un sale pop-up, et empechait le scan de l'antivirus... enfin bon, la le scan est en cours donc croisons les doigts..

    PS; merci beaucoup pour la réponse rapide!
    0
  3. vazouk Messages postés 3 Statut Membre
     
    ..et voici le résultat de l'antivirus;

    Avira AntiVir Personal
    Report file date: mercredi 31 décembre 2008 18:16

    Scanning for 1138943 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (Service Pack 2) [5.1.2600]
    Boot mode: Normally booted
    Username: SYSTEM
    Computer name: ACER-1F614B65C2

    Version information:
    BUILD.DAT : 8.2.0.337 16934 Bytes 18/11/2008 13:05:00
    AVSCAN.EXE : 8.1.4.10 315649 Bytes 18/11/2008 08:21:26
    AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 07:56:40
    LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 12:44:19
    LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 07:58:52
    ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 11:30:36
    ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 24/12/2008 14:58:17
    ANTIVIR2.VDF : 7.1.1.34 2048 Bytes 24/12/2008 14:58:18
    ANTIVIR3.VDF : 7.1.1.57 277504 Bytes 31/12/2008 14:58:19
    Engineversion : 8.2.0.45
    AEVDF.DLL : 8.1.0.6 102772 Bytes 14/10/2008 10:05:56
    AESCRIPT.DLL : 8.1.1.19 336252 Bytes 31/12/2008 14:58:26
    AESCN.DLL : 8.1.1.5 123251 Bytes 07/11/2008 15:06:41
    AERDL.DLL : 8.1.1.3 438645 Bytes 04/11/2008 13:58:38
    AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 09:41:39
    AEOFFICE.DLL : 8.1.0.33 196987 Bytes 31/12/2008 14:58:25
    AEHEUR.DLL : 8.1.0.75 1524087 Bytes 31/12/2008 14:58:24
    AEHELP.DLL : 8.1.2.0 119159 Bytes 31/12/2008 14:58:22
    AEGEN.DLL : 8.1.1.8 323956 Bytes 31/12/2008 14:58:21
    AEEMU.DLL : 8.1.0.9 393588 Bytes 14/10/2008 10:05:56
    AECORE.DLL : 8.1.5.2 172405 Bytes 31/12/2008 14:58:20
    AEBB.DLL : 8.1.0.3 53618 Bytes 14/10/2008 10:05:56
    AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 08:40:05
    AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 09:28:01
    AVREP.DLL : 8.0.0.2 98344 Bytes 31/07/2008 12:02:15
    AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 11:26:40
    AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 08:29:23
    AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 12:27:49
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 17:28:02
    SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 12:49:40
    NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 12:05:10
    RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 13:48:07
    RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 13:34:37

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: C:, D:,
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: Intelligent file selection
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: mercredi 31 décembre 2008 18:16

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'RtkBtMnt.exe' - '1' Module(s) have been scanned
    Scan process 'firefox.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'soffice.bin' - '1' Module(s) have been scanned
    Scan process 'soffice.exe' - '1' Module(s) have been scanned
    Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
    Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
    Scan process 'igfxext.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
    Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'ElkCtrl.exe' - '1' Module(s) have been scanned
    Scan process 'CameraAssistant.exe' - '1' Module(s) have been scanned
    Scan process 'LVCOMSX.EXE' - '1' Module(s) have been scanned
    Scan process 'LManager.exe' - '1' Module(s) have been scanned
    Scan process 'ePower_DMC.exe' - '1' Module(s) have been scanned
    Scan process 'rundll32.exe' - '1' Module(s) have been scanned
    Scan process 'eDSloader.exe' - '1' Module(s) have been scanned
    Scan process 'admtray.exe' - '1' Module(s) have been scanned
    Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
    Scan process 'Monitor.exe' - '1' Module(s) have been scanned
    Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
    Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
    Scan process 'ehtray.exe' - '1' Module(s) have been scanned
    Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
    Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
    Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
    Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'dllhost.exe' - '1' Module(s) have been scanned
    Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
    Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
    Scan process 'ehSched.exe' - '1' Module(s) have been scanned
    Scan process 'ehRecvr.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
    Scan process 'expiorer.exe' - '1' Module(s) have been scanned
    Scan process 'admServ.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'LVPrcSrv.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
    Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    66 processes with 66 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'D:\'
    [INFO] No virus was found!

    Starting to scan the registry.
    The registry was scanned ( '78' files ).

    Starting the file scan:

    Begin scan in 'C:\' <ACER>
    C:\hiberfil.sys
    [WARNING] The file could not be opened!
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Documents and Settings\Laurent\Shared\manu chao denia.mp3
    [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
    [WARNING] The file was ignored!
    C:\Documents and Settings\Laurent\Shared\marre des meufs.mp3
    [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
    [NOTE] The file was moved to '49cdb084.qua'!
    C:\Documents and Settings\Laurent\Shared\Soldout - For your next girlfriend.mp3
    [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
    [NOTE] The file was moved to '49c7b0c6.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP263\A0061637.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbd6c.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP263\A0061747.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbd8a.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP263\A0061748.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbd8b.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0061808.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbd96.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0061887.exe
    [0] Archive type: HIDDEN
    --> FIL\\\?\C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0061887.exe
    [DETECTION] Contains recognition pattern of the WORM/Brontok.a worm
    [NOTE] The file was moved to '498bbd9d.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0061888.exe
    [0] Archive type: HIDDEN
    --> FIL\\\?\C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0061888.exe
    [DETECTION] Contains recognition pattern of the WORM/Brontok.a worm
    [NOTE] The file was moved to '48286a6e.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0061889.exe
    [0] Archive type: HIDDEN
    --> FIL\\\?\C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0061889.exe
    [DETECTION] Contains recognition pattern of the WORM/Brontok.a worm
    [NOTE] The file was moved to '498bbd9e.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063258.sys
    [DETECTION] Is the TR/Drop.Onlinegames2 Trojan
    [NOTE] The file was moved to '498bbdc4.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063260.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '48286a35.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063263.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdc5.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063267.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '48286a36.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063268.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdc7.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063269.dll
    [DETECTION] Contains recognition pattern of the WORM/Autorun.cob worm
    [NOTE] The file was moved to '498bbdc6.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063270.cmd
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '48286a37.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063271.com
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '48286a38.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP265\A0063273.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdc9.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP265\A0063279.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdca.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063395.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdd1.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063400.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '48286a22.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063411.dll
    [DETECTION] Is the TR/Vundo.Gen Trojan
    [NOTE] The file was moved to '498bbdd2.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063412.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '48286a23.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063413.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdd3.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063414.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdd4.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063416.com
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '48286a25.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063417.com
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdd6.qua'!
    C:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063418.bat
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bbdd5.qua'!
    C:\WINDOWS\system32\haozs0.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '49cac252.qua'!
    C:\WINDOWS\system32\one2disp.dll
    [DETECTION] Contains recognition pattern of the WORM/Autorun.cob worm
    [NOTE] The file was moved to '49c0c2af.qua'!
    C:\WINDOWS\system32\trz125.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '49d5c2dd.qua'!
    C:\WINDOWS\system32\trz5.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '49d5c2de.qua'!
    C:\WINDOWS\system32\trz7.tmp
    [DETECTION] Contains recognition pattern of the WORM/Autorun.cob worm
    [NOTE] The file was moved to '4877128f.qua'!
    Begin scan in 'D:\' <ACERDATA>
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP263\A0061639.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bc40c.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP263\A0061750.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bc40d.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0061810.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '482813fe.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP264\A0063265.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bc40e.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP265\A0063275.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '482813ff.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063397.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bc40f.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063420.cmd
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '482813e0.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063421.com
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bc410.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063422.com
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '482813e1.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063423.bat
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bc412.qua'!
    D:\System Volume Information\_restore{FE9DB679-8B9F-4569-9471-BFCEFDF23881}\RP266\A0063424.com
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '498bc411.qua'!
    D:\FOUND.000\FILE0000.CHK
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '49a7c42a.qua'!

    End of the scan: mercredi 31 décembre 2008 20:11
    Used time: 1:54:49 Hour(s)

    The scan has been done completely.

    7668 Scanning directories
    328428 Files were scanned
    46 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    45 files were moved to quarantine
    0 files were renamed
    2 Files cannot be scanned
    328380 Files not concerned
    8172 Archives were scanned
    3 Warnings
    45 Notes
    0
  4. jlpjlp Messages postés 52399 Statut Contributeur sécurité 5 041
     
    vire ces fichiers si encore present manuellement

    C:\Documents and Settings\Laurent\Shared\manu chao denia.mp3
    C:\Documents and Settings\Laurent\Shared\marre des meufs.mp3
    C:\Documents and Settings\Laurent\Shared\Soldout - For your next girlfriend.mp3

    ________________

    vire ce qui est en quarantaine dans antivir

    ___________________

    scan avec
    MalwareByte's Anti-Malware après mise a jour, en mode normal et vire ce qui est trouvé et colle le rapport

    https://www.malekal.com/tutoriel-malwarebyte-anti-malware/

    ________________________

    mets a jour internet explorer: ici:
    https://www.01net.com/telecharger/windows/Internet/navigateur/fiches/33081.html

    _________________________

    remets un rapport hijakchits et dis tes soucis actuels
    0