J'ai le virus: c'est pas toi, que faire.??

Résolu/Fermé
Mitsuka Messages postés 4 Date d'inscription jeudi 17 janvier 2008 Statut Membre Dernière intervention 18 janvier 2008 - 18 janv. 2008 à 18:28
 miguelito - 25 févr. 2008 à 20:45
Bonjour,
J'ai le virus "c'est pas toi" qui tourne en se moment sur msn
mon anti-virus "avast" n'a pas réagis.
J'ai donc etais sur ce forum et suivis les quelques instructions que j'avais trouver, malgré le nombre incalculable de scan avec AVG, ou de nettoyage avec CCleaner j'ai encore ce virus.
S'il vous plait, si vous savez comment faire ca m'arrangerai.

Merci

105 réponses

IDEM POUR MOI !!!!
SDFix: Version 1.131

Run by charrier on 24/01/2008 at 20:17

Microsoft Windows XP [version 5.1.2600]

Running From: C:\DOCUME~1\charrier\Bureau\Nouveau dossier\SDFix

Safe Mode:
Checking Services:

Name:
astq
runtime
ztx86

Path:
\??\C:\WINDOWS\system32\drivers\astq.tga
\??\C:\WINDOWS\System32\drivers\runtime.sys
\??\C:\WINDOWS\system32\ztx86.sys

astq - Deleted
runtime - Deleted
ztx86 - Deleted



Infected ip6fw.sys Found!

ip6fw.sys File Locations:


Infected File Listed Below:

Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM

File copied to Backups Folder
Attempting to replace ip6fw.sys with original version...

Unable To Replace Infected File!


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM - Deleted
C:\Program Files\Helper\superfindout.dll - Deleted
C:\Program Files\InetGet2\FINAL -- Fort 5.6_MST-ONLY.exe - Deleted
C:\Program Files\Temporary\kernInst.exe - Deleted
C:\Program Files\Fichiers communs\Yazzle1560OinUninstaller.exe - Deleted
C:\WINDOWS\system32\9_exception.nls - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\btask.dll - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\socketa.dll - Deleted
C:\WINDOWS\system32\socksys.dll - Deleted
C:\WINDOWS\system32\drivers\astq.tga - Deleted
C:\WINDOWS\system32\ztx86.sys - Deleted



Folder C:\Program Files\Helper - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Temporary - Removed


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 20:23:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,4e,75,51,87,bb,84,49,bf,4a,6b,3a,2d,44,06,dc,9d,86,..
"hj34z0"=hex:58,e3,0a,9d,f5,37,2c,59,55,5a,cb,e9,1a,39,4d,9a,fa,7b,c7,03,1b,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\DOCUME~1\\charrier\\LOCALS~1\\Temp\\services.exe"="C:\\DOCUME~1\\charrier\\LOCALS~1\\Temp\\services.exe:*:Enabled:Flash Player2"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Impossible d'ex‚cuter C:\DOCUME~1\CHARRIER\BUREAU\NOUVEAU DOSSIER\SDFIX\APPS\LOCATE.COM

Finished!
0
[b][u]SDFix: Version 1.143[/u][/b]

Run by Cedric on 18/02/2008 at 22:13

Microsoft Windows XP [version 5.1.2600]
Running From: C:\DOCUME~1\Cedric\Bureau\SDfix\SDFix

[b][u]Checking Services[/u][/b]:

Name:
4fdw
FCI
FFI
Generic Host Process for Win-32 Service
ldrsvc
nested
protect
qwer78
USB2_04
ztx86
OUB31
UCI52

Path:
\??\C:\WINDOWS\system32\4fdw.dll
C:\WINDOWS\system32\svchost.exe:ext.exe
C:\WINDOWS\system32\svchost.exe:exm.exe
"C:\WINDOWS\svchost.exe"
%SystemRoot%\System32\svchost.exe -k netsvcs
\??\C:\WINDOWS\system32\nested.sys
System32\drivers\protect.sys
\??\C:\WINDOWS\system32\drivers\qwer78.sys
\??\C:\WINDOWS\system32\drivers\nkv2.sys
\??\C:\WINDOWS\system32\ztx86.sys
System32\Drivers\Oub31.sys
System32\Drivers\Uci52.sys

4fdw - Deleted
FCI - Deleted
FFI - Deleted
Generic Host Process for Win-32 Service - Deleted
ldrsvc - Deleted
nested - Deleted
protect - Deleted
qwer78 - Deleted
USB2_04 - Deleted
ztx86 - Deleted
OUB31 - Deleted
UCI52 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service OUB31 - Deleted after Reboot
Service asc3550o - Deleted after Reboot

[b][u]Checking Files[/u][/b]:

Trojan Files Found:

C:\WINDOWS\system32\drivers\OUB31.sys - Deleted
C:\WINDOWS\system32\drivers\UCI52.sys - Deleted
C:\121570~1 - Deleted
C:\WINDOWS\system32\acespy\systune.exe - Deleted
C:\WINDOWS\system32\acespy\__acelog.ndx - Deleted
C:\d.exe - Deleted
C:\DOCUME~1\Cedric\LOCALS~1\Temp\services.exe - Deleted
C:\WINDOWS\absolute key logger.lnk - Deleted
C:\WINDOWS\aconti.exe - Deleted
C:\WINDOWS\aconti.log - Deleted
C:\WINDOWS\acontidialer.txt - Deleted
C:\WINDOWS\adbar.dll - Deleted
C:\WINDOWS\daxtime.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\dp0.dll - Deleted
C:\WINDOWS\eventlowg.dll - Deleted
C:\WINDOWS\fhfmm-Uninstaller.exe - Deleted
C:\WINDOWS\hotporn.exe - Deleted
C:\WINDOWS\ie_32.exe - Deleted
C:\WINDOWS\jd2002.dll - Deleted
C:\WINDOWS\kkcomp$.exe - Deleted
C:\WINDOWS\liqad$.exe - Deleted
C:\WINDOWS\liqui-Uninstaller.exe - Deleted
C:\WINDOWS\ngd.dll - Deleted
C:\WINDOWS\pbar.dll - Deleted
C:\WINDOWS\spredirect.dll - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\ESHOPEE.exe - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\LogCrypt.dll - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\vxddsk.exe - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
C:\WINDOWS\vxddsk.exe - Deleted
C:\WINDOWS\wml.exe - Deleted
C:\WINDOWS\xadbrk_.exe - Deleted
C:\WINDOWS\xxxvideo.exe - Deleted
C:\WINDOWS\system32\4fdw.dll - Deleted
C:\WINDOWS\System32\drivers\nkv2.sys - Deleted
C:\WINDOWS\system32\drivers\qwer78.sys - Deleted
C:\WINDOWS\system32\nested.sys - Deleted
C:\WINDOWS\system32\ztx86.sys - Deleted



Folder C:\Program Files\Dot1XCfg - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\WINDOWS\system32\acespy - Removed


Removing Temp Files...

[b][u]ADS Check[/u][/b]:


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 53248 bytes in 2 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.



[b][u]Final Check[/u][/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 22:22:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


[b][u]Remaining Services[/u][/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe:*:Enabled:OrbTVGuide"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbChannelScan.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbChannelScan.exe:*:Enabled:OrbChannelScan"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:*:Enabled:Outlook Express"
"C:\\Program Files\\Everest Poker\\cstart.exe"="C:\\Program Files\\Everest Poker\\cstart.exe:*:Enabled:Everest Poker"
"C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\UE32.EXE"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\UE32.EXE:*:Enabled:Assistant UnErase"
"C:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"="C:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe:*:Enabled:Media Player Classic"
"C:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"="C:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE:*:Enabled:LiveUpdate"
"C:\\Program Files\\WinRAR\\WinRAR.exe"="C:\\Program Files\\WinRAR\\WinRAR.exe:*:Enabled:WinRAR"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\DOCUME~1\\Cedric\\LOCALS~1\\Temp\\services.exe"="C:\\DOCUME~1\\Cedric\\LOCALS~1\\Temp\\services.exe:*:Enabled:Flash Player2"
"C:\\Documents and Settings\\Cedric\\Bureau\\ottkwk.exe"="C:\\Documents and Settings\\Cedric\\Bureau\\ottkwk.exe:*:Enabled:Windows Service"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"
"C:\\DOCUME~1\\Cedric\\LOCALS~1\\Temp\\dllhost.exe"="C:\\DOCUME~1\\Cedric\\LOCALS~1\\Temp\\dllhost.exe:*:Enabled:Flash Media"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b][u]Remaining Files[/u][/b]:


File Backups: - C:\DOCUME~1\Cedric\Bureau\SDfix\SDFix\backups\backups.zip

[b][u]Files with Hidden Attributes[/u][/b]:

Mon 17 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 31 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 1 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a639c949e790d609251685186692b3a\BITF7.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT1.tmp"
Tue 1 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ad213d081e2675ef87a62c73b8abf209\BITF4.tmp"
Tue 1 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c4f88f947d390c49edce5fbcc347ee34\BITF6.tmp"
Tue 1 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d6e228e44f2018dd79eeb427a0b47d06\BITF5.tmp"

[b]Finished![/b]
0
Bien le bonjour =)

J'ai, moi aussi, ce virus, le fameux "C'est pas toi ça ?" Voici comment cela s'est passé:

Une de mes amies m'a envoyer: C'est pas toi ça ? (suivie d'un lien genre lycos/membre/lovingstown machin truc ^^)
Par curiosité (j'avoue maintenant que c'est une vilain défault) j'ai clické sur ce lien.
J'ai eu une photo d'un mec que je ne connaissais point, bref, du n'importe quoi.
Ensuite, mon ordi s'est mis à envoyer ce lien à tous mes autres contacts.
Puis, bizarrement, il m'as coupé mon internet. Je n'avait internet que pendant 3 minutes.
Ce qui fait que je ne peut rien télécharger, car je suis sur un autre ordinateur. A moins de mettre le programme d'installation sur Clé USB.

Voila, je n'est pas entendue de 'coupage de net' dans la discussion (j'avoue que j'ai sauter des pages ^^), alors est-que c'est normal ?

Ensuite, j'aimerais poser quelques questions ^^

Pourquoi poster le rapport de fin sur le forum ?
Cette opération ne supprimera aucun fichier, photos, etc... ?
Combien de fois et à quelle fréquence dois-je appuyer sur la touche F8 au mise en action du Mode sans Echec ?
La procédure est-elle longue ?
Le rapport final est t'il le même pour tout les ordinateurs, ou il est à chaque fois different ?

En tout cas, merci pour vos prochaines réponsets, je vous en serais éxtremement reconnaissante <3 =)

Cordialement, LovingStown.
0
[b]SDFix: Version 1.147 [/b]

Run by Administrateur on 25/02/2008 at 20:07

Microsoft Windows XP [version 5.1.2600]
Running From: C:\DOCUME~2\ADMINI~1\Bureau\SDFix

[b]Checking Services [/b]:

Name:
jnhjkfrn
nested
pcximg

Path:
\??\C:\WINDOWS\system32\jnhjkfrn
\??\C:\WINDOWS\system32\nested.sys
\??\C:\WINDOWS\system\pcximg.pif

jnhjkfrn - Deleted
nested - Deleted
pcximg - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\PROGRA~1\INTERN~1\LAGUS.DLL - Deleted
C:\WINDOWS\system32\WinNB58.dll - Deleted
C:\-93752~1 - Deleted
C:\PROGRA~1\MESSEN~1\HOCYPE~1.EXE - Deleted
C:\DOCUME~2\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\94WLBPCV\QWERTY~1.HTM - Deleted
C:\Program Files\Helper\1202304666.dll - Deleted
C:\Program Files\InetGet2\emg.exe - Deleted
C:\Program Files\InetGet2\Installeur.exe - Deleted
C:\Program Files\Temporary\kernInst.exe - Deleted
C:\d.exe - Deleted
C:\WINDOWS\b111.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\b128.exe - Deleted
C:\WINDOWS\b147.exe - Deleted
C:\WINDOWS\mrofinu1148.exe - Deleted
C:\DOCUME~2\ADMINI~1\LOCALS~1\Temp\services.exe - Deleted
C:\WINDOWS\system32\msvcrtd.exe - Deleted
C:\WINDOWS\tk58.exe - Deleted
C:\WINDOWS\system\pcximg.pif - Deleted
C:\WINDOWS\system32\jnhjkfrn - Deleted
C:\WINDOWS\system32\nested.sys - Deleted



Folder C:\Program Files\Dot1XCfg - Removed
Folder C:\Program Files\Helper - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Insider - Removed
Folder C:\Program Files\Temporary - Removed


Removing Temp Files

[b]ADS Check [/b]:



[b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 20:20:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a94013f5b]
"001700a8eef3"=hex:c2,24,7d,07,e8,83,b4,f9,44,57,11,20,57,98,89,4f
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a94013f5b]
"001700a8eef3"=hex:c2,24,7d,07,e8,83,b4,f9,44,57,11,20,57,98,89,4f
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a94013f5b]
"001700a8eef3"=hex:c2,24,7d,07,e8,83,b4,f9,44,57,11,20,57,98,89,4f

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=dword:00000001

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 41


[b]Remaining Services [/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Microsoft LifeCam\\IcePick.exe"="C:\\Program Files\\Microsoft LifeCam\\IcePick.exe:*:Enabled:Windows Live Call"
"C:\\WINDOWS\\system32\\spoolsvc.exe"="C:\\WINDOWS\\system32\\spoolsvc.exe:*:Disabled:spoolsvc"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\ReadPlease 2003\\ReadPlease2003.exe"="C:\\Program Files\\ReadPlease 2003\\ReadPlease2003.exe:*:Disabled: ReadPlease 2003 FREE"
"C:\\Documents and Settings\\Administrateur\\Local Settings\\Temp\\services.exe"="C:\\Documents and Settings\\Administrateur\\Local Settings\\Temp\\services.exe:*:Disabled:Flash Player2"
"C:\\DOCUME~2\\ADMINI~1\\LOCALS~1\\Temp\\services.exe"="C:\\DOCUME~2\\ADMINI~1\\LOCALS~1\\Temp\\services.exe:*:Enabled:Flash Player2"
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe:*:Enabled:Network Diagnostic for Windows XP"
"C:\\Documents and Settings\\Administrateur\\vtmhtd.exe"="C:\\Documents and Settings\\Administrateur\\vtmhtd.exe:*:Enabled:Windows Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:


File Backups: - C:\DOCUME~2\ADMINI~1\Bureau\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

--- 4,263 ..SH. --- "C:\WINDOWS\windllreg1c.sys"
Mon 31 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 23 Jan 2003 65,952 ..SHR --- "C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe"
Mon 14 Mar 2005 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe"
Mon 25 Apr 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\uinstrsc.dll"
Tue 19 Dec 2006 78,336 ...H. --- "C:\Documents and Settings\Administrateur\Mes documents\documen mama\~WRL0129.tmp"
Mon 18 Dec 2006 106,496 ...H. --- "C:\Documents and Settings\Administrateur\Mes documents\documen mama\~WRL2806.tmp"
Mon 7 May 2007 83,456 ...H. --- "C:\Documents and Settings\Administrateur\Mes documents\POLO\~WRL0001.tmp"
Mon 22 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 9 Jan 2008 1,775,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8c2cd6ae63d9a68818031dc07c70ea54\BIT5CF.tmp"
Thu 8 Dec 2005 78,336 ...H. --- "C:\Documents and Settings\Administrateur\Application Data\Microsoft\Word\~WRL0336.tmp"
Thu 8 Dec 2005 77,312 ...H. --- "C:\Documents and Settings\Administrateur\Application Data\Microsoft\Word\~WRL2643.tmp"
Wed 17 Oct 2007 20,752 A..H. --- "C:\Documents and Settings\Administrateur\Local Settings\Temp\100000010000b7ae760032\IPCONFIG.exe"

[b]Finished![/b]
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
titmissaure Messages postés 25 Date d'inscription mercredi 23 janvier 2008 Statut Membre Dernière intervention 18 août 2008
24 janv. 2008 à 10:51
Je te conseille de les tuer toi-même. C'est ce que j'ai fait, et je n'ai plus aucun problème.
-1