un peu d'aide svp...

un peu d'aide svp... - Sécurité - Windows & Software

Marsh Posté le 26-10-2004 à 11:55:59    

Bonjour à tous,
 
Je me retrouve complètement impuissant devant l’infection continuelle de mon système par différents virus : au premier rang desquels : wsass.exe… Et ceci malgré, mon antivirus avast4, mon firewall kerio (mais peut-être l’ai-je mal configuré), adaware, spybot-S&D et même stinger. Voici un petit best-of des alertes depuis quelques jours :
 
18/10/2004 22:07:56 AUTORITE NT\SYSTEM 596 Sign of "Win32:IRCbot-P [Trj]" has been found in "C:\wsass.exe" file.  
18/10/2004 23:17:34 ROMAIN-*****\************ 460 Sign of "Win32:SdBot-488 [Trj]" has been found in "C:\Program Files\Alwil Software\Avast4\DATA\moved\wsass.exe.vir\[AsPack]" file.  
19/10/2004 20:16:10 AUTORITE NT\SYSTEM 596 Sign of "Win32:IRCbot-P [Trj]" has been found in "C:\WINNT\system32\wsass.exe" file.
0/10/2004 19:59:26 ROMAIN-*****\************ 1388 Sign of "Win32:SdBot-488 [Trj]" has been found in "C:\wsass.exe\[AsPack]" file.  
23/10/2004 17:39:24 AUTORITE NT\SYSTEM 600 Sign of "Win32:Jeefo" has been found in "C:\WINNT\system32\ntlogin32.exe" file.
24/10/2004 19:21:11 AUTORITE NT\SYSTEM 604 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\WINNT\system32\musirc4.72.exe" file.  
26/10/2004 11:16:50 AUTORITE NT\SYSTEM 596 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\WINNT\system32\shadow.exe" file.
 
Je parviens toujours à les mettre en quarantaine ou les détruire, mais ils reviennent inéluctablement.
 

j'ai réalisé un scan sur RAVANTIVIRUS
:  
 
Scan started at 26/10/2004 11:10:48
 
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINNT\system32\cnnet.exe->(PEDiminisher) - Backdoor:IRC/SdBot -> Suspicious
C:\WINNT\system32\vhdfs.exe->(FSGPE) - Backdoor:IRC/SdBot -> Suspicious
C:\WINNT\system32\vnmmuw.exe->(RARsfx)->(RARSfx)->vhdfs.exe->(FSGPE) - Backdoor:IRC/SdBot -> Suspicious
C:\WINNT\system32\vnmmuw.exe->(RARSfx)->vhdfs.exe->(FSGPE) - Backdoor:IRC/SdBot -> Suspicious
C:\WINNT\system32\wsass.0xe - Backdoor:IRC/SdBot -> Infected
C:\WINNT\Temp\trz6.tmp - Backdoor:IRC/SdBot -> Infected
C:\WINNT\Temp\trzA.tmp - Backdoor:IRC/SdBot -> Infected
 
Scanned
============================
 Objects: 43222
 Directories: 2345
 Archives: 694
 Size(Kb): 1493771
 Infected files: 3
 
Found
============================
 Viruses found: 1
 Suspicious files: 4
 Disinfected files: 0
 Mail files: 454
 
Rapport Hijackthis :
 
Logfile of HijackThis v1.98.2
Scan saved at 12:00:30, on 26/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\RamBoost XP\rambxpfr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\**************\Local Settings\Temp\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freebox.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freebox.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [RamBoostXp] C:\Program Files\RamBoost XP\rambxpfr.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://freebox.free.fr/
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537 [...] scan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EB8CDBA-4C07-44C3-A802-AD57F82F6FAF}: NameServer = 213.228.0.212 212.27.39.2
O19 - User stylesheet:  (file missing)
 
 
D’avance, un grand merci, j’espère que quelqu’un pourra m’aider.

Reply

Marsh Posté le 26-10-2004 à 11:55:59   

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed