Rapport Findkill, virus bagle

Fermé
meyerbsa Messages postés 4 Date d'inscription lundi 31 mai 2010 Statut Membre Dernière intervention 31 mai 2010 - 31 mai 2010 à 20:25
 Utilisateur anonyme - 31 mai 2010 à 22:52
Bonjour,

Tout d'abord je vous remercie d'avance pour l'intérêt que vous porterez à cette demande.

J'ai attrapé le ver Bagle. J'ai lancé FindKill. Ne sachant comment procédé pour la suite je vous soumets le rapport ci dessous et me réjouis d'une future réponse.

Merci



############################## | FindyKill V5.043 |

# User : Samuel (Administrateurs) # BIBISCH
# Update on 12/05/2010 by El Desaparecido
# Start at: 19:49:45 | 31.05.2010
# Website : http://pagesperso-orange.fr/NosTools/index.html
# Contact : FindyKill.Contact@gmail.com

# Processeur Intel Pentium III Xeon
# Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 8.0.6001.18702
# Windows Firewall Status : Enabled
# AV : avast! antivirus 4.7.986 [VPS 100330-1] 4.7.986 [ Enabled | Updated ]

# C:\ # Disque fixe local # 149.04 Go (9.54 Go free) # NTFS
# D:\ # Disque CD-ROM
# E:\ # Disque CD-ROM

############################## | Processus infectieux stoppés |

"C:\Documents and Settings\Samuel\Application Data\drivers\winupgro.exe" (2568)
"C:\Documents and Settings\Samuel\Application Data\m\flec006.exe" (2592)
"C:\Documents and Settings\Samuel\Application Data\hidires\flec003.exe" -run (3044)
"C:\WINDOWS\wintems.exe" (252)

################## | Eléments infectieux |

C:\WINDOWS\ban_list.txt
C:\WINDOWS\mdelk.exe
C:\WINDOWS\wintems.exe
C:\WINDOWS\system32\srosa2.sys
C:\WINDOWS\system32\wfsintwq.sys
C:\Documents and Settings\Samuel\Application Data\drivers
C:\Documents and Settings\Samuel\Application Data\drivers\downld
C:\Documents and Settings\Samuel\Application Data\drivers\winupgro.exe
C:\Documents and Settings\Samuel\Application Data\hidires
C:\Documents and Settings\Samuel\Application Data\hidires\config
C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_BootstrapIPs.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_SearchStrings.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_ServerMetURLs.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\cancelled.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\clients.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\clients.met.bak
C:\Documents and Settings\Samuel\Application Data\hidires\config\cryptkey.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\emfriends.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\key_index.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\known.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\known2_64.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\load_index.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\nodes.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\preferences.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\preferences.ini
C:\Documents and Settings\Samuel\Application Data\hidires\config\preferencesKad.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\server.met
C:\Documents and Settings\Samuel\Application Data\hidires\config\server_met.old
C:\Documents and Settings\Samuel\Application Data\hidires\config\shareddir.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\src_index.dat
C:\Documents and Settings\Samuel\Application Data\hidires\config\statistics.ini
C:\Documents and Settings\Samuel\Application Data\hidires\config\StoredSearches.met
C:\Documents and Settings\Samuel\Application Data\hidires\downloads.bak
C:\Documents and Settings\Samuel\Application Data\hidires\downloads.txt
C:\Documents and Settings\Samuel\Application Data\hidires\file.exe
C:\Documents and Settings\Samuel\Application Data\hidires\flec003.exe
C:\Documents and Settings\Samuel\Application Data\hidires\flec005.exe
C:\Documents and Settings\Samuel\Application Data\hidires\Incoming
C:\Documents and Settings\Samuel\Application Data\hidires\lang
C:\Documents and Settings\Samuel\Application Data\hidires\names.txt
C:\Documents and Settings\Samuel\Application Data\hidires\server.txt
C:\Documents and Settings\Samuel\Application Data\hidires\skins
C:\Documents and Settings\Samuel\Application Data\hidires\Temp
C:\Documents and Settings\Samuel\Application Data\hidires\WDIR
C:\Documents and Settings\Samuel\Application Data\hidires\webserver
C:\Documents and Settings\Samuel\Application Data\m
C:\Documents and Settings\Samuel\Application Data\m\data.oct
C:\Documents and Settings\Samuel\Application Data\m\flec006.exe
C:\Documents and Settings\Samuel\Application Data\m\list.oct
C:\Documents and Settings\Samuel\Application Data\m\srvlist.oct
C:\Documents and Settings\Samuel\Application Data\m\shared

################## | Registre |

[HKLM\SYSTEM\CurrentControlSet\Services\sK9Ou0s]
[HKLM\SYSTEM\ControlSet001\Services\sK9Ou0s]
[HKLM\SYSTEM\ControlSet003\Services\sK9Ou0s]
[HKLM\SYSTEM\CurrentControlSet\Services\srosa]
[HKLM\SYSTEM\ControlSet001\Services\srosa]
[HKLM\SYSTEM\ControlSet003\Services\srosa]
[HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S]
[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S]
[HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SK9OU0S]
[HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
[HKCU\Software\bisoft]
[HKCU\Software\DateTime4]
[HKCU\Software\MuleAppData]
[HKCU\Software\WS4001]
[HKCR\ed2k]
[HKCU\Software\Classes\ed2k]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "german.exe"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "german.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "mule_st_key"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "mule_st_key"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "flec003.exe"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "flec003.exe"
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\bisoft]
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\DateTime4]
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\MuleAppData]
[HKCU\Software\Local AppWizard-Generated Applications\key_generator]
[HKCU\Software\Local AppWizard-Generated Applications\winupgro]
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Local AppWizard-Generated Applications\key_generator]
[HKU\S-1-5-21-1801674531-507921405-725345543-1003\Software\Local AppWizard-Generated Applications\winupgro]

################## | Etat |

# Affichage des fichiers cachés : OK

Clé manquante : HKLM\...\SafeBoot | Mode sans echec non fonctionnel !

# (!) Ndisuio -> Start = 4 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 3 ( Good = 2 | Bad = 4 )
# (!) Ip6Fw -> Start = 4 ( Good = 2 | Bad = 4 )
# (!) SharedAccess -> Start = 4 ( Good = 2 | Bad = 4 )
# (!) wuauserv -> Start = 4 ( Good = 2 | Bad = 4 )
# (!) wscsvc -> Start = 4 ( Good = 2 | Bad = 4 )

################## | ! Fin du rapport # FindyKill V5.043 ! |





A voir également:

3 réponses

Utilisateur anonyme
31 mai 2010 à 20:35
Bonsoir,

! Déconnecte toi et ferme toutes application en cours ( navigateur compris ) .

* Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...)

* Relance "FindyKill" : au menu principal choisis l'option " F " pour français et tape sur [entrée] .

* Au second menu choisis l'option 2 (suppression) et tape sur [entrée]

* Le pc va redémarrer automatiquement ...

le programme va travailler , ne touche à rien ... , ton bureau ne sera pas accessible c est normal !

--> Poste le rapport qui apparait à la fin ( le rapport est sauvegardé aussi sous C:\FindyKill.txt )

/!\ Si le Bureau ne réapparait pas, presse Ctrl + Alt + Suppr , Onglet "Fichier" , "Nouvelle tâche" , tape explorer.exe et valide
0
meyerbsa Messages postés 4 Date d'inscription lundi 31 mai 2010 Statut Membre Dernière intervention 31 mai 2010
31 mai 2010 à 21:58
Bonsoir,
J'ai fini de lancer la démarche proposé et voilà ce que j'obtiens:


############################## | FindyKill V5.043 |

# User : Samuel (Administrateurs) # BIBISCH
# Update on 12/05/2010 by El Desaparecido
# Start at: 20:51:54 | 31.05.2010
# Website : http://pagesperso-orange.fr/NosTools/index.html
# Contact : FindyKill.Contact@gmail.com

# Processeur Intel Pentium III Xeon
# Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 8.0.6001.18702
# Windows Firewall Status : Enabled
# AV : avast! antivirus 4.7.986 [VPS 100330-1] 4.7.986 [ Enabled | Updated ]

# C:\ # Disque fixe local # 149.04 Go (9.48 Go free) # NTFS
# D:\ # Disque CD-ROM
# E:\ # Disque CD-ROM
# I:\ # Disque amovible # 7.47 Go (1.26 Go free) [BIBICH] # FAT32

################## | Eléments infectieux |

Supprimé ! C:\WINDOWS\ban_list.txt
Supprimé ! C:\WINDOWS\mdelk.exe
Supprimé ! C:\WINDOWS\wintems.exe
Supprimé ! C:\WINDOWS\system32\srosa2.sys
Supprimé ! C:\WINDOWS\system32\wfsintwq.sys
Supprimé ! C:\Documents and Settings\Samuel\Application Data\drivers\downld
Supprimé ! C:\Documents and Settings\Samuel\Application Data\drivers\winupgro.exe
Supprimé ! C:\Documents and Settings\Samuel\Application Data\drivers
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\downloads.bak
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\downloads.txt
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_BootstrapIPs.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_SearchStrings.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\AC_ServerMetURLs.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\cancelled.met
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\clients.met
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\clients.met.bak
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\cryptkey.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\emfriends.met
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\key_index.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\known.met
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\known2_64.met
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\load_index.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\nodes.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\preferences.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\preferences.ini
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\preferencesKad.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\server.met
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\server_met.old
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\shareddir.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\src_index.dat
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\statistics.ini
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config\StoredSearches.met
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\config
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\file.exe
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\flec003.exe
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\flec005.exe
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\Incoming
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\lang
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\names.txt
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\server.txt
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\skins
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\Temp
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\WDIR
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires\webserver
Supprimé ! C:\Documents and Settings\Samuel\Application Data\hidires
Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\data.oct
Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\flec006.exe
Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\list.oct
Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\shared
Supprimé ! C:\Documents and Settings\Samuel\Application Data\m\srvlist.oct
Supprimé ! C:\Documents and Settings\Samuel\Application Data\m

################## | Références de comparaison Bagle MD5 : |

File : C:\Documents and Settings\Samuel\Application Data\drivers\winupgro.exe
-> Crc32 : 6f1f132f | Md5 : 8beaa9e486408710826509758e3b85ec


################## | MD5 ... |

Supprimé ! "C:\Program Files\Shock Utility\ShockAero3D\ShockAero3D.exe"
-> Size : 1058304 | Crc32 : 6f1f132f | Md5 : 8beaa9e486408710826509758e3b85ec

Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP107\A0026773.exe"
-> Size : 1033216 | Crc32 : 7de3edef | Md5 : 301501ecb76a5bf5f9feadd1ec56e078

Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP107\A0026843.exe"
-> Size : 1033216 | Crc32 : 7de3edef | Md5 : 301501ecb76a5bf5f9feadd1ec56e078

Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP146\A0043010.exe"
-> Size : 1033216 | Crc32 : 7de3edef | Md5 : 301501ecb76a5bf5f9feadd1ec56e078

Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP146\A0043043.exe"
-> Size : 1058304 | Crc32 : 6f1f132f | Md5 : 8beaa9e486408710826509758e3b85ec

Supprimé ! "C:\System Volume Information\_restore{57128E99-A996-4058-9314-66A0176EE981}\RP155\A0045937.exe"
-> Size : 1058304 | Crc32 : 6f1f132f | Md5 : 8beaa9e486408710826509758e3b85ec


################## | CRC32 ... |
0
Utilisateur anonyme
31 mai 2010 à 22:52
Il manquel la fin du rapport...Peux tu le reposter dans son intégralité stp.
Il se termine par "Fin du rapport # FindyKill V5.043" !

a+



0