WORM/Rbot.542720.7 WORM/SdBot.401408.13

Résolu
bab2735 -  
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   -
Bonjour,
apres une reinstallation de windows XP sp1 ce matin, mon conjoint n'arrive plus a rien avec son ordinatuer!
il a telecharge antivir qui a detecte :
WORM/Rbot.542720.7
WORM/SdBot.401408.13
entre autre!
le telechargement de quoi que ce soit est impossible de cet ordinateur, mais je peut en effectuer sur un autre (au travail)
lorsqu'il va sur internet il y a plein de messages d 'erreur
Comment faire pour s en sortir? faut il formater tous nos disques dur??? ou bien il existe un autre moyen?
Merci de nous venir en aide...
Configuration: Windows XP
Firefox 2.0.0.12

4 réponses

  1. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    Salut

    redemarre en mode sanc eche et fais un scan avec antivir, mets tout ce que tu peux en quarantaine

    ensuite :

    Télécharger ComboFix (par sUBs) sur le Bureau : http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    * Démarrer en mode sans echec
    * Double cliquer combofix.exe.
    * Appuyer sur la touche Y (Yes) pour démarrer le scan
    * Le rapport sera crée dans: C:\Combofix.txt, poste le stp

    ++
    0
    1. bab2735 Messages postés 9 Statut Membre
       
      Bonjour,
      donc hier soir j'ai reussi a faire un scan sans "mode sans echec". Lors de ce scan, j'ai mis un max de truc en quarantaibe, par contre il y en a pour lesquelles il fallait soit ignorer soit supprimer et il me semble que g supprimer quelquechose. Maintenant au demarrage, l'ordi me dit qu'il me manque le "Clmcs.exe", c'est grave?
      J'ai redemarre en mode sans echec et lance combofix. Voila son rapport :

      ComboFix 08-02-25.3 - moff 2008-02-26 22:24:32.1 - NTFSx86 MINIMAL
      Microsoft Windows XP Édition familiale
      Endroit: C:\Documents and Settings\moff\Bureau\ComboFix.exe

      [color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
      .

      (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
      .

      C:\WINDOWS\system32\nkwqcgkal.exe
      C:\WINDOWS\system32\tokxdnjlv.exe

      .
      ((((((((((((((((((((((((((((( Fichiers créés 2008-01-26 to 2008-02-26 ))))))))))))))))))))))))))))))))))))
      .

      2008-02-26 21:11 . 2008-02-26 21:11 55,296 ---hs---- C:\WINDOWS\system32\mdm.exe
      2008-02-26 20:39 . 2008-02-26 20:39 <REP> d-------- C:\WINDOWS\system32\bits
      2008-02-26 20:39 . 2008-02-26 21:41 <REP> d--h----- C:\WINDOWS\$hf_mig$
      2008-02-26 20:39 . 2005-02-25 04:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
      2008-02-26 20:38 . 2004-07-01 23:08 360,960 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
      2008-02-26 20:38 . 2004-07-01 23:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
      2008-02-26 20:38 . 2004-07-01 23:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
      2008-02-26 20:38 . 2004-07-01 23:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
      2008-02-26 20:38 . 2004-07-01 23:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
      2008-02-26 20:38 . 2004-07-01 23:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
      2008-02-26 20:38 . 2004-07-01 23:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
      2008-02-26 20:38 . 2004-07-01 23:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
      2008-02-26 20:38 . 2004-07-01 23:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
      2008-02-26 20:35 . 2008-02-26 20:35 2,422 --a------ C:\WINDOWS\system32\wpa.bak
      2008-02-26 19:06 . 2008-02-26 19:06 118 --a------ C:\WINDOWS\system32\izsge.bat
      2008-02-26 17:43 . 2008-02-26 17:43 <REP> d---s---- C:\Documents and Settings\moff\UserData
      2008-02-26 17:43 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
      2008-02-26 17:43 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
      2008-02-26 17:43 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
      2008-02-26 17:43 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
      2008-02-26 17:43 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
      2008-02-26 17:43 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
      2008-02-26 17:43 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
      2008-02-26 17:43 . 2007-07-30 19:19 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
      2008-02-26 17:43 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
      2008-02-26 17:38 . 2008-02-26 17:38 <REP> d-------- C:\WINDOWS\OPTIONS
      2008-02-26 17:38 . 2008-02-26 17:38 <REP> d-------- C:\Program Files\Realtek
      2008-02-26 17:38 . 2008-02-26 17:38 <REP> d--h----- C:\Program Files\InstallShield Installation Information
      2008-02-26 17:38 . 2008-02-26 17:38 <REP> d-------- C:\Documents and Settings\moff\Application Data\InstallShield
      2008-02-26 17:38 . 2007-11-20 19:09 104,320 --a------ C:\WINDOWS\system32\drivers\Rtnicxp.sys
      2008-02-26 17:35 . 2008-02-26 17:35 <REP> d-------- C:\yenicag
      2008-02-26 17:18 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
      2008-02-26 17:18 . 2003-08-25 18:06 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
      2008-02-26 17:01 . 2008-02-26 16:32 261 --a------ C:\WINDOWS\system32\$winnt$.inf

      .
      (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-02-26 20:38 44,032 ----a-w C:\WINDOWS\system32\ftp.exe
      2008-02-26 20:38 17,920 ----a-w C:\WINDOWS\system32\tftp.exe
      2008-02-26 15:40 --------- d-----w C:\Program Files\Avira
      2008-02-26 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
      2008-02-26 15:30 --------- d-----w C:\Program Files\microsoft frontpage
      2008-02-26 15:29 558,142 ----a-w C:\WINDOWS\java\Packages\7PZLJV5R.ZIP
      2008-02-26 15:29 155,995 ----a-w C:\WINDOWS\java\Packages\CMSEM46Z.ZIP
      2008-02-26 15:26 --------- d-----w C:\Program Files\Services en ligne
      2008-02-26 11:07 135,168 ----a-w C:\WINDOWS\system32\sfc_os.dll
      .

      ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      REGEDIT4
      *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Windows Networking Monitoring"="C:\WINDOWS\System32\mdm.exe" [2008-02-26 21:11 55296]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-26 21:40 249896]
      "WinPerfectAutoRun"="C:\yenicag\WinPerfect\WinPerfect.exe" [2006-11-05 13:48 2838016]
      "Windows Networking Monitoring"="C:\WINDOWS\System32\mdm.exe" [2008-02-26 21:11 55296]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-30 21:00 13312]
      "Windows Networking Monitoring"="C:\WINDOWS\System32\mdm.exe" [2008-02-26 21:11 55296]

      R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
      R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
      S2 Management Consultants (CLMCs);Management Consultants (CLMCs);"C:\WINDOWS\clmcs.exe" []
      S2 TTLMS;Track Learning Management System;C:\WINDOWS\System32\ttlms.exe []

      .
      **************************************************************************

      catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-02-26 22:26:10
      Windows 5.1.2600 Service Pack 1 NTFS

      Balayage processus cachés ...

      Balayage caché autostart entries ...

      Balayage des fichiers cachés ...

      Scan terminé avec succès
      Les fichiers cachés: 0

      **************************************************************************
      .
      Temps d'accomplissement: 2008-02-26 22:27:52
      ComboFix-quarantined-files.txt 2008-02-26 21:27:25

      Ensuite, j'ai reussi a telecharger le pack sp2 et je l'ai installe. Le probleme c'est que le pare feu windows est configure desactive et c'est impossible de l 'activer... Ai-je bien fait??? je vais devenir chevre!
      0
    2. bab2735 Messages postés 9 Statut Membre
       
      J'ai aussi enregistre le rapport de antivir, au cas ou...
      0
  2. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    Salut

    Maintenant au demarrage, l'ordi me dit qu'il me manque le "Clmcs.exe", c'est grave?


    absolument pas ! ce processus appartient à un backdoor ! en d'autres termes une vilaine bébéttes !

    oui, poste le rapport d'antivir, et télécharger HijackThis

    L'installer dans un dossier prévu à cet effet.
    o Par exemple, C:\HijackThis
    o Choisis l'option "do a system scan and save a logfile"; un rapport va être généré
    o Copier/coller le rapport sur le forum stp

    ++
    0
    1. bab2735 Messages postés 9 Statut Membre
       
      Salut!
      Et bien en fin de compte, on a trouve plus facile de reformater et maintenant on a 0 virus, trojan ou que sais-je encore!
      En tous cas merci
      a++
      0
  3. bab2735 Messages postés 9 Statut Membre
     
    Salut, suis rassuree pour le clmcs.exe, mais pas trop pour le pare feu windows que je ne peux pas activer..
    Voila le rapport antivir :

    AntiVir PersonalEdition Classic
    Report file date: mardi 26 février 2008 21:42

    Scanning for 1125458 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (Service Pack 1) [5.1.2600]
    Username: SYSTEM
    Computer name: RAID

    Version information:
    BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
    AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
    AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
    LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
    LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
    ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
    ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 20:40:33
    ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 24/02/2008 20:40:33
    ANTIVIR3.VDF : 7.0.2.195 59392 Bytes 26/02/2008 20:40:33
    AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 26/02/2008 20:40:35
    AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
    AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
    AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
    AVPACK32.DLL : 7.6.0.3 360488 Bytes 26/02/2008 20:40:35
    AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
    AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
    AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
    NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
    RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
    RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: F:,
    Scan memory......................: on
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: All files
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: mardi 26 février 2008 21:42

    The scan of running processes will be started
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'cscript.exe' - '1' Module(s) have been scanned
    Scan process 'cmd.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
    Scan process 'clmcs.exe' - '1' Module(s) have been scanned
    Module is infected -> 'C:\WINDOWS\clmcs.exe'
    Scan process 'mdm.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    Process 'clmcs.exe' has been terminated
    C:\WINDOWS\clmcs.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '48317a17.qua'!

    22 processes with 21 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [NOTE] No virus was found!
    Master boot sector HD1
    [NOTE] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [NOTE] No virus was found!
    Boot sector 'D:\'
    [NOTE] No virus was found!
    Boot sector 'F:\'
    [NOTE] No virus was found!

    Starting to scan the registry.

    The registry was scanned ( '23' files ).

    Starting the file scan:

    Begin scan in 'C:\'
    C:\hiberfil.sys
    [WARNING] The file could not be opened!
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Setup32.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '48387a15.qua'!
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\05AZ0XQB\bb1[1].exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '47f57a1b.qua'!
    C:\System Volume Information\_restore{9CAEB862-0FA8-4013-9A7B-F79ABAB8A292}\RP3\A0003041.exe
    [DETECTION] Contains detection pattern of the worm WORM/Rbot.542720.7
    [INFO] The file was moved to '47f47a15.qua'!
    C:\System Volume Information\_restore{9CAEB862-0FA8-4013-9A7B-F79ABAB8A292}\RP3\A0005139.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '47f47a1a.qua'!
    C:\System Volume Information\_restore{9CAEB862-0FA8-4013-9A7B-F79ABAB8A292}\RP3\A0005148.exe
    [DETECTION] Contains detection pattern of the worm WORM/Rbot.542720.7
    [INFO] The file was moved to '47f47a1c.qua'!
    C:\System Volume Information\_restore{9CAEB862-0FA8-4013-9A7B-F79ABAB8A292}\RP3\A0005169.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '47f47a1e.qua'!
    C:\System Volume Information\_restore{9CAEB862-0FA8-4013-9A7B-F79ABAB8A292}\RP3\A0005170.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '47f47a20.qua'!
    C:\WINDOWS\17PHolmes1148.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '48147a2a.qua'!
    C:\WINDOWS\system32\aica.exe
    [DETECTION] Contains detection pattern of the worm WORM/IrcBot.34816.6
    [INFO] The file was moved to '48277b52.qua'!
    C:\WINDOWS\system32\bglkz.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '48307b54.qua'!
    C:\WINDOWS\system32\cyuldl.exe
    [DETECTION] Contains detection pattern of the worm WORM/VanBot.AX.215
    [INFO] The file was moved to '48397b6c.qua'!
    C:\WINDOWS\system32\lgjs.exe
    [DETECTION] Contains code of the Windows virus W32/Virut.Gen
    [INFO] The file was moved to '482e7b66.qua'!
    C:\WINDOWS\system32\vlvf.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '483a7b80.qua'!
    C:\WINDOWS\system32\ygbcxjov.exe
    [DETECTION] Contains code of the Windows virus W32/Virut.Gen
    [INFO] The file was moved to '48267b82.qua'!
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LE9990OR\bb1[1].exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '47f57b82.qua'!
    Begin scan in 'D:\'
    Begin scan in 'F:\' <My Book>
    F:\Software\WinDVD.Platinum.v7.0\crack\Keymaker.exe
    [DETECTION] Is the Trojan horse TR/Dldr.Small.4417
    [INFO] The file was moved to '483d81e1.qua'!
    F:\System Volume Information\_restore{9CAEB862-0FA8-4013-9A7B-F79ABAB8A292}\RP3\A0005178.exe
    [DETECTION] Is the Trojan horse TR/Dldr.Small.4417
    [INFO] The file was moved to '47f481b9.qua'!

    End of the scan: mardi 26 février 2008 22:15
    Used time: 33:55 min

    The scan has been done completely.

    3145 Scanning directories
    138074 Files were scanned
    19 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    18 files were moved to quarantine
    0 files were renamed
    2 Files cannot be scanned
    138055 Files not concerned
    735 Archives were scanned
    2 Warnings
    7 Notes

    je lance ce soir l'autre scan et te poste le rapport demain
    merci encore
    a++
    0
  4. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    Salut

    radicale mais parfois efficace, voir ici pour ne plus avoir à formater :

    http://www.commentcamarche.net/faq/sujet 2432 securite proteger un ordinateur contre les malwares d internet

    ++
    0