Trojan RDRIV.SYS

Salut,

1) Redémarre en mode sans échec

2) Relance HijackThis, coche cette ligne et appuie sur Fix Checked :
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe

3) Supprime ce fichier :
C:\WINDOWS\MSmedia.exe

4) Redémarre normalement

As tu encore des soucis ??

Hello
Merci pour ta réponse

Ca a marché à moitier, je m'explique :

Zone Alarme ne m'envoi plus de demande tous le 15 secondes 5 ( RDRIV.SYS ) merci encore.
Mais
1) Ma poubelle ne se vide pas ...
2) Les scan de XP anti vir guar et A2 me donne les rapports suivant :


Creation date of the report file: mardi 27 décembre 2005 22:24

AntiVir®/XP (2000 + NT) PersonalEdition Classic
Build 1114 of 04.11.2005
Mainprogram 6.32.00.51 of 03.11.2005
VDF file 6.33.0.71 (0) of 27.12.2005


This program is for PERSONAL USE only.
Any other use is PROHIBITED.
Informations regarding commercial versions of AntiVir may be obtained from:
www.hbedv.com.


Scanning for 270141 virus strains and unwanted programs.

Licensed for: AntiVir Personal Edition
Serial number: 0000149991-WURGE-0001

Please enter the workstation and
contact name with phone number in this form:

Name ___________________________________________

Street ___________________________________________

Town ___________________________________________

Phone/Fax ___________________________________________

Email ___________________________________________

Platform: Windows NT Workstation
Windows version: 5.1 Build 2600 (Service Pack 2)
Username: Benoît
Processor: Pentium
Working memory: 1048048 KB free

Version information:
AVWIN.DLL : 6.32.00.51 561192 04.11.2005 12:58:52
AVEWIN32.DLL : 6.33.0.70 1008128 22.12.2005 20:19:32
AVGNT.EXE : 6.32.00.02 180327 19.10.2005 16:48:52
AVGUARD.EXE : 6.32.00.12 208424 19.10.2005 16:48:52
GUARDMSG.DLL : 6.30.00.02 94248 01.02.2005 11:24:10
AVGCMSG.DLL : 6.32.00.01 295029 19.10.2005 16:48:52
AVGNTDW.SYS : 6.31.00.01 32896 29.04.2005 08:07:16
AVPACK32.DLL : 6.32.00.02 319528 19.10.2005 16:48:52
AVGETVER.DLL : 6.30.00.00 24576 28.01.2005 18:10:20
AVSHLEXT.DLL : 6.30.00.01 40960 28.01.2005 18:10:22
AVSched32.EXE : 6.32.00.01 110632 20.09.2005 14:16:24
AVSched32.DLL : 6.30.00.00 122880 01.02.2005 11:24:10
AVREG.DLL : 6.31.00.05 41000 07.09.2005 16:34:50
AVRep.DLL : 6.33.00.69 1613864 27.12.2005 17:58:42
INETUPD.EXE : 6.32.00.53 262203 04.11.2005 12:58:52
INETUPD.DLL : 6.32.00.53 143360 04.11.2005 12:58:52
CTL3D32.DLL : 2.31.000 27136 30.08.2002 12:00:00
MFC42.DLL : 6.02.4131.0 1028096 20.08.2004 00:09:30
MSVCRT.DLL : 7.0.2600.2180 (xpsp_sp2_rtm.0408
MSVCRT.DLL : 7.0.2600.2180 343040 20.08.2004 00:09:34
CTL3DV2.DLL : No information

Configuration file:

Name of configuration file: C:\Program Files\AVPersonal\AVWIN.INI
Name of report file: C:\Program Files\AVPersonal\LOGFILES\AVWIN.LOG
Start path: C:\Program Files\AVPersonal
Command line:
Start mode: unknown

Mode of report file:
[ ] Do not create report
[X] Overwrite report
[ ] Append new report

Data in report file:
[X] Infected files
[ ] Infected files with paths
[ ] All scanned files
[ ] Full information

Abridge report file:
[ ] Abridge report file

Warnings in report:
[X] Access denied/file locked
[X] Wrong file size in directory
[X] Wrong creation time in directory
[ ] COM file is too large
[X] Invalid start address
[X] Invalid EXE header
[X] Possibly damaged

Summary report:
[X] Create summary report
Output file: AVWIN.ACT
Maximum number of entries: 100

Where to search:
[X] Memory
[X] Boot record of selected drives
[ ] Report unknown boot sectors
[ ] All files
[X] Program files
Extensions: .386 .?HT* .ACM .ADE .ADP .ANI .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CRT .CSH .DLL .DLO .DO? .DRV .EMF .EML .EXE* .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .ZIP

Response in case of a detection:
[ ] Repair with prompt
[ ] Repair without prompt
[ ] Delete with prompt
[X] Delete without prompt
[ ] Write in report file only
[X] Acoustic alarm

Response in case of destroyed files:
[ ] Delete with prompt
[ ] Delete without prompt
[ ] Ignore

Response in case of destroyed files:
[ ] No change
[ ] Current system time
[ ] Correct date

Drag&drop settings:
[X] Scan subdirectories

Profile settings:
[X] Scan subdirectories

Archive options
[X] Search archive
[X] All archive types

Miscellaneous options:
Temporary path: %TEMP% -> C:\DOCUME~1\BENOÎT\LOCALS~1\Temp
[X] Overwrite infected files
[ ] Detect idle time
[X] Allow interruptions of scan
[X] Load AVWin®/NT Guard on System start

General settings:
[X] Save options on exiting AntiVir
Priority: medium

Drives:
A: Floppy drive
C: Hard disk
D: CD-ROM
E: CD-ROM
F: Hard disk
G: Hard disk

Start of scan: mardi 27 décembre 2005 22:24

Memory test OK
Master boot record of hard disk HD0 OK
Master boot record of hard disk HD1 OK
Boot record of drive C: OK
Boot record of drive F: OK
Boot record of drive G: OK


Access denied! Error during file opening!
Error code: 0x0002
C:\

WARNING! Access error/file locked!
C:\WINDOWS\system32\config
SECURITY
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SAM
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SYSTEM
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SOFTWARE
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
DEFAULT
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
C:\WINDOWS\Temp
ZLT02f11.TMP
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
AlexaRelated.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
LSA.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
LSA1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
LSA2.zip
ArchiveType: ZIP
WindowsSecurityCenterAntiVirusDisableNotify.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterAntiVirusOverride.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterFirewallDisableNotify.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterFirewallOverride.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterSPUpdate.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterUpdateDisableNotify.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WinFixer.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WinsoftwareCommon.zip
ArchiveType: ZIP
C:\Documents and Settings\Benoît\Bureau\Telechargement
oo.exe
ArchiveType: RAR SFX (self extracting)
--> is.exe
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Q.2
C:\System Volume Information\_restore{89902088-0789-42EA-A903-BC029E7F155D}\RP138
A0030368.exe
ArchiveType: RAR SFX (self extracting)
--> is.exe
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Q.2
--> low.exe
[DETECTION] Contains signature of the dropper DR/Lomix.5
--> xe.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.J.4
--> tb.exe
[DETECTION] Contains signature of the dropper DR/Lomix.1
--> mmxateam.exe
[DETECTION] Contains signature of the dropper DR/Lomix.4
C:\Recycled\Dg1\WinRAR
rarnew.dat
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
C:\Program Files\WinRAR
rarnew.dat
ArchiveType: RAR
NOTE! The archive is created by multiple volumes


Error! Could not change directory: System Volume Information


Error! Could not change directory: MP3
Error! Could not change directory: System Volume Information

End of scan: mardi 27 décembre 2005 22:58
Time taken: 34:16 min


6570 directories were scanned
164967 files were scanned
7 warning messages were issued
0 files were deleted
0 files were repaired
6 detections

___________________________________________

Hijack :

Logfile of HijackThis v1.99.1
Scan saved at 23:15:35, on 27/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Documents and Settings\Benoît\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.neuf.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.neuf.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls...
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

______________________________________

Si tu peux regader, ça serait super

A bientôt
Ben