[worm] autorite nt\systemRésolu/Fermé

Question

Bonjours a tous

je viens a vous car je n arrive pas a eradiquer ce sataner ver de mon ordinateur, j ai parcouru le site et les forum mais je me retrouve bloquer apres avoir fait un scan de mon ordinateur

j ai utiliser ewido anti-spyware et antivir personal edition mais je n arrive toujours pas a me debarrasser de ce ver informatique (je tiens a le preciser hein pour ceux qui ont l esprit mal tourné)
bon treve de plaisanterie, j ai formaté mon disque dur, le premier element que j ai installé avant meme les drivers, ce fut kerio firewall une vieille edition

a l analyse de mon disque dur apres plusieurs redemarrage, j ai finis par completer la manoeuvre en enlever le redemarrage automatique et j ai reussi a etablir un rapport comme suit :

-------------------------


AntiVir PersonalEdition Classic
Report file date: samedi 30 septembre 2006  23:28

Scanning for 515767 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-WURGE-0001
Platform:         Windows XP
Windows version:  (plain)  [5.1.2600]
Username:         maydat
Computer name:    MAYDAT-BUREAU

Version information:
AVSCAN.EXE   : 7.0.0.47    200744   21/08/2006 10:06:56
AVSCAN.DLL   : 7.0.0.45    41000    07/09/2006 10:56:33
LUKE.DLL     : 7.0.0.47    118824   07/09/2006 10:32:33
LUKERES.DLL  : 7.0.0.47    9256     07/09/2006 10:56:33
ANTIVIR0.VDF : 6.35.0.1    7371264  31/05/2006 10:35:27
ANTIVIR1.VDF : 6.36.0.9    1424384  06/09/2006 07:12:24
ANTIVIR2.VDF : 6.36.0.71   284160   25/09/2006 17:00:49
ANTIVIR3.VDF : 6.36.0.84   44032    30/09/2006 17:00:49
AVEWIN32.DLL : 7.2.0.22    1860096  30/09/2006 17:00:49
AVPREF.DLL   : 7.0.0.2     23592    24/07/2006 12:36:04
AVREP.DLL    : 6.36.0.5    806952   30/09/2006 17:00:49
AVRPBASE.DLL : 7.0.0.0     2162728  30/03/2006 08:43:31
AVPACK32.DLL : 7.2.0.0     368680   21/07/2006 06:00:28
AVREG.DLL    : 6.31.0.90   27688    28/07/2005 10:06:36
NETNT.DLL    : 6.32.0.0    6696     27/09/2005 07:56:49
NETNW.DLL    : 7.0.0.0     9768     24/07/2006 12:35:55
RCIMAGE.DLL  : 7.0.0.74    1642536  01/08/2006 11:22:57
RCTEXT.DLL   : 7.0.1.4     77864    30/09/2006 17:00:47

Configuration settings for the scan:
Jobname.......................: Local Drives
Configuration file............: C:\Program Files\AntiVir PersonalEdition Classic\alldrives.avp
Boot sectors..................: C,D,A,E,F,G
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 1
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0

Start of the scan: samedi 30 septembre 2006  23:28


The scan of running processes will be started
9 Processes were scanned

Start scanning boot sectors:

Boot sector 'C:\'
      [NOTE]      No virus was found!
Boot sector 'D:\'
      [NOTE]      No virus was found!
Boot sector 'A:\'
      [NOTE]      In the drive 'A:\' no data medium is inserted!
Boot sector 'E:\'
      [NOTE]      In the drive 'E:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( 12 files ).


Starting the file scan:

C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\Documents and Settings\LocalService\NTUSER.DAT
      [WARNING]   The file could not be opened!
C:\Documents and Settings\LocalService
tuser.dat.LOG
      [WARNING]   The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
      [WARNING]   The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
      [WARNING]   The file could not be opened!
C:\Documents and Settings\maydat\NTUSER.DAT
      [WARNING]   The file could not be opened!
C:\Documents and Settings\maydat
tuser.dat.LOG
      [WARNING]   The file could not be opened!
C:\Documents and Settings\maydat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
      [WARNING]   The file could not be opened!
C:\Documents and Settings\maydat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
      [WARNING]   The file could not be opened!
C:\Documents and Settings\maydat\Local Settings\Temp\Perflib_Perfdata_6dc.dat
      [WARNING]   The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
      [WARNING]   The file could not be opened!
C:\Documents and Settings\NetworkService
tuser.dat.LOG
      [WARNING]   The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
      [WARNING]   The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\default
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\SAM
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\software
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\system
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
      [WARNING]   The file could not be opened!
The path A:\ could not be found!
Le périphérique n'est pas prêt.

The path E:\ could not be found!
Le périphérique n'est pas prêt.

The path F:\ could not be found!
Le périphérique n'est pas prêt.

The path G:\ could not be found!
Le périphérique n'est pas prêt.



End of the scan: samedi 30 septembre 2006  23:31
Used time: 03:09 min

The scan has been done completely.

    965 Scanning directories
  34238 Files were scanned
      0 viruses and/or unwanted programs were found
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
    329 Archives were scanned
     24 Warnings
      1 Notes
--------------------- Fin du rapport

a partir de la je n arrive pas a savoir quelles sont les manipulation a effectuer, je ne suis pas informaticien, loin de la, j essaye d avoir un bon niveai de debutant, donc si vous arriver a m expliquer ce que je dois faire a partir de la par des mots simple, je vous en serait vraiment reconnaissant

sur ce j attend avec impatience d avoir des reponse. merci d avance

Séb08 · Answer

slt,


Pour vérifier, scanne ton PC avec cet antivirus en ligne (sous IE et accepte l’activX) : 

http://www.bitdefender.fr/bd/site/search.php#

Clique sur « scan on line »  suis les instructions.

Et colle le rapport 

ensuite :

télécharge HijackThis (version francaise) ici: 
http://telechargement.zebulon.fr/160-Patch-fran%C3%A7ais-pour-HijackThis.html

Dézippe le dans un dossier prévu à cet effet. 

Par exemple C:\hijackthis < Enregistre le bien dans c : ! 

Démo (merci à Balltrap) :
instalation hijackthis
http://pageperso.aol.fr/balltrap34/Hijenr.gif

Lance le puis: 
clique sur "faire un scan et sauvegarder le log" (cf démo) 
faire un copier coller du log entier sur le forum 

Démo : (merci à balltrap34 pour cette réalisation) 
http://pageperso.aol.fr/balltrap34/demohijack.htm

A+

anakin6661 · Answer

Voila le rapport que j ai eu :
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 00:58:26, on 01/10/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
SvcLog.exe
C:\WINDOWS\System32
vsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin
SvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe


----------------Fin rapport

pas trop d info je trouve

Séb08 · Answer

Tu as oublier le rapport de Bitdefender ...

copie/colle le STP

A+

Séb08 · Answer

Re,

A lire et faire les manips :

sasser

A+

[worm] autorite nt\system

4 réponses

Discussions similaires

Newsletters