Rapport Findkill, virus bagle

meyerbsa Messages postés 4 Statut Membre -  
 archet9 -
Bonjour,

Tout d'abord je vous remercie d'avance pour l'intérêt que vous porterez à cette demande.

J'ai attrapé le ver Bagle. J'ai lancé FindKill. Ne sachant comment procédé pour la suite je vous soumets le rapport ci dessous et me réjouis d'une future réponse.

Merci

############################## | FindyKill V5.043 |

# User : Samuel (Administrateurs) # BIBISCH
# Update on 12/05/2010 by El Desaparecido
# Start at: 19:49:45 | 31.05.2010
# Website : http://pagesperso-orange.fr/NosTools/index.html
# Contact : FindyKill.Contact@gmail.com

# Processeur Intel Pentium III Xeon
# Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 8.0.6001.18702
# Windows Firewall Status : Enabled
# AV : avast! antivirus 4.7.986 [VPS 100330-1] 4.7.986 [ Enabled | Updated ]

# C:\ # Disque fixe local # 149.04 Go (9.54 Go free) # NTFS
# D:\ # Disque CD-ROM
# E:\ # Disque CD-ROM

############################## | Processus infectieux stoppés |

"C:\Documents and Settings\Samuel\Application Data\drivers\winupgro.exe" (2568)
"C:\Documents and Settings\Samuel\Application Data\m\flec006.exe" (2592)
"C:\Documents and Settings\Samuel\Application Data\hidires\flec003.exe" -run (3044)
"C:\WINDOWS\wintems.exe" (252)

################## | Eléments infectieux |

C:\WINDOWS\ban_list.txt
C:\WINDOWS\mdelk.exe
C:\WINDOWS\wintems.exe
C:\WINDOWS\system32\srosa2.sys
C:\WINDOWS\system32\wfsintwq.sys
C:\Documents and Settings\Samuel\Application Data\drivers
C:\Documents and Settings\Samuel\Application Data\drivers\downld
C:\Documents and Settings\Samuel\Application Data\drivers\winupgro.exe
C:\Documents and Settings\Samuel\Application Data\hidires
C:\Documents and Settings\Samuel\Application Data\hidires\config
C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_BootstrapIPs.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_SearchStrings.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_ServerMetURLs.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\cancelled.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\clients.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\clients.met.bak
C:\Documents and Settings\Samuel\Application Data\hidires\config\cryptkey.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\emfriends.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\key_index.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\known.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\known2_64.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\load_index.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\nodes.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\preferences.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\preferences.ini
C:\Documents and Settings\Samuel\Application Data\hidires\config\preferencesKad.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\server.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\server_met.old
C:\Documents and Settings\Samuel\Application Data\hidires\config\shareddir.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\src_index.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\statistics.ini
C:\Documents and Settings\Samuel\Application Data\hidires\config\StoredSearches.met
C:\Documents and Settings\Samuel\Application Data\hidires\downloads.bak
C:\Documents and Settings\Samuel\Application Data\hidires\downloads.txt
C:\Documents and Settings\Samuel\Application Data\hidires\file.exe
C:\Documents and Settings\Samuel\Application Data\hidires\flec003.exe
C:\Documents and Settings\Samuel\Application Data\hidires\flec005.exe
C:\Documents and Settings\Samuel\Application Data\hidires\Incoming
C:\Documents and Settings\Samuel\Application Data\hidires\lang
C:\Documents and Settings\Samuel\Application Data\hidires\names.txt
C:\Documents and Settings\Samuel\Application Data\hidires\server.txt
C:\Documents and Settings\Samuel\Application Data\hidires\skins
C:\Documents and Settings\Samuel\Application Data\hidires\Temp
C:\Documents and Settings\Samuel\Application Data\hidires\WDIR
C:\Documents and Settings\Samuel\Application Data\hidires\webserver
C:\Documents and Settings\Samuel\Application Data\m
C:\Documents and Settings\Samuel\Application Data\m\data.oct
C:\Documents and Settings\Samuel\Application Data\m\flec006.exe
C:\Documents and Settings\Samuel\Application Data\m\list.oct
C:\Documents and Settings\Samuel\Application Data\m\srvlist.oct
C:\Documents and Settings\Samuel\Application Data\m\shared

################## | Registre |

[HKLM\SYSTEM\CurrentControlSet\Services\sK9Ou0s]
[HKLM\SYSTEM\ControlSet001\Services\sK9Ou0s]
[HKLM\SYSTEM\ControlSet003\Services\sK9Ou0s]
[HKLM\SYSTEM\CurrentControlSet\Services\srosa]
[HKLM\SYSTEM\ControlSet001\Services\srosa]
[HKLM\SYSTEM\ControlSet003\Services\srosa]
[HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S]
[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S]
[HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SK9OU0S]
[HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
[HKCU\Software\bisoft]
[HKCU\Software\DateTime4]
[HKCU\Software\MuleAppData]
[HKCU\Software\WS4001]
[HKCR\ed2k]
[HKCU\Software\Classes\ed2k]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "german.exe"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "german.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "mule_st_key"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "mule_st_key"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "flec003.exe"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "flec003.exe"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\bisoft]
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\DateTime4]
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\MuleAppData]
[HKCU\Software\Local AppWizard-Generated Applications\key_generator]
[HKCU\Software\Local AppWizard-Generated Applications\winupgro]
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Local AppWizard-Generated Applications\key_generator]
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Local AppWizard-Generated Applications\winupgro]

################## | Etat |

# Affichage des fichiers cachés : OK

Clé manquante : HKLM\...\SafeBoot | Mode sans echec non fonctionnel !

# (!) Ndisuio -> Start = 4 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 3 ( Good = 2 | Bad = 4 )
# (!) Ip6Fw -> Start = 4 ( Good = 2 | Bad = 4 )
# (!) SharedAccess -> Start = 4 ( Good = 2 | Bad = 4 )
# (!) wuauserv -> Start = 4 ( Good = 2 | Bad = 4 )
# (!) wscsvc -> Start = 4 ( Good = 2 | Bad = 4 )

################## | ! Fin du rapport # FindyKill V5.043 ! |

3 réponses

  1. archet9
     
    Bonsoir,

    ! Déconnecte toi et ferme toutes application en cours ( navigateur compris ) .

    * Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...)

    * Relance "FindyKill" : au menu principal choisis l'option " F " pour français et tape sur [entrée] .

    * Au second menu choisis l'option 2 (suppression) et tape sur [entrée]

    * Le pc va redémarrer automatiquement ...

    le programme va travailler , ne touche à rien ... , ton bureau ne sera pas accessible c est normal !

    --> Poste le rapport qui apparait à la fin ( le rapport est sauvegardé aussi sous C:\FindyKill.txt )

    /!\ Si le Bureau ne réapparait pas, presse Ctrl + Alt + Suppr , Onglet "Fichier" , "Nouvelle tâche" , tape explorer.exe et valide
    0
  2. meyerbsa Messages postés 4 Statut Membre
     
    Bonsoir,
    J'ai fini de lancer la démarche proposé et voilà ce que j'obtiens:

    ############################## | FindyKill V5.043 |

    # User : Samuel (Administrateurs) # BIBISCH
    # Update on 12/05/2010 by El Desaparecido
    # Start at: 20:51:54 | 31.05.2010
    # Website : http://pagesperso-orange.fr/NosTools/index.html
    # Contact : FindyKill.Contact@gmail.com

    # Processeur Intel Pentium III Xeon
    # Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
    # Internet Explorer 8.0.6001.18702
    # Windows Firewall Status : Enabled
    # AV : avast! antivirus 4.7.986 [VPS 100330-1] 4.7.986 [ Enabled | Updated ]

    # C:\ # Disque fixe local # 149.04 Go (9.48 Go free) # NTFS
    # D:\ # Disque CD-ROM
    # E:\ # Disque CD-ROM
    # I:\ # Disque amovible # 7.47 Go (1.26 Go free) [BIBICH] # FAT32

    ################## | Eléments infectieux |

    Supprimé ! C:\WINDOWS\ban_list.txt
    Supprimé ! C:\WINDOWS\mdelk.exe
    Supprimé ! C:\WINDOWS\wintems.exe
    Supprimé ! C:\WINDOWS\system32\srosa2.sys
    Supprimé ! C:\WINDOWS\system32\wfsintwq.sys
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\drivers\downld
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\drivers\winupgro.exe
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\drivers
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\downloads.bak
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\downloads.txt
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_BootstrapIPs.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_SearchStrings.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_ServerMetURLs.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\cancelled.met
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\clients.met
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\clients.met.bak
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\cryptkey.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\emfriends.met
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\key_index.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\known.met
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\known2_64.met
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\load_index.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\nodes.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\preferences.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\preferences.ini
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\preferencesKad.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\server.met
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\server_met.old
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\shareddir.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\src_index.dat
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\statistics.ini
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\StoredSearches.met
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\file.exe
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\flec003.exe
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\flec005.exe
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\Incoming
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\lang
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\names.txt
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\server.txt
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\skins
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\Temp
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\WDIR
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\webserver
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\data.oct
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\flec006.exe
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\list.oct
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\shared
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\srvlist.oct
    Supprimé ! C:\Documents and Settings\Samuel\Application Data\m

    ################## | Références de comparaison Bagle MD5 : |

    File : C:\Documents and Settings\Samuel\Application Data\drivers\winupgro.exe
    -> Crc32 : 6f1f132f | Md5 : 8beaa9e486408710826509758e3b85ec

    ################## | MD5 ... |

    Supprimé ! "C:\Program Files\Shock Utility\ShockAero3D\ShockAero3D.exe"
    -> Size : 1058304 | Crc32 : 6f1f132f | Md5 : 8beaa9e486408710826509758e3b85ec

    Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP107\A0026773.exe"
    -> Size : 1033216 | Crc32 : 7de3edef | Md5 : 301501ecb76a5bf5f9feadd1ec56e078

    Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP107\A0026843.exe"
    -> Size : 1033216 | Crc32 : 7de3edef | Md5 : 301501ecb76a5bf5f9feadd1ec56e078

    Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP146\A0043010.exe"
    -> Size : 1033216 | Crc32 : 7de3edef | Md5 : 301501ecb76a5bf5f9feadd1ec56e078

    Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP146\A0043043.exe"
    -> Size : 1058304 | Crc32 : 6f1f132f | Md5 : 8beaa9e486408710826509758e3b85ec

    Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP155\A0045937.exe"
    -> Size : 1058304 | Crc32 : 6f1f132f | Md5 : 8beaa9e486408710826509758e3b85ec

    ################## | CRC32 ... |
    0
  3. archet9
     
    Il manquel la fin du rapport...Peux tu le reposter dans son intégralité stp.
    Il se termine par "Fin du rapport # FindyKill V5.043" !

    a+

    0