Ajoute les lignes suivantes sur HijackThis :
Installe le Carlson Dialer : C:\Program Files\Common Files\CarlsonF2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\Qtime.exe
O23 - Service: CD-ROM drive - Unknown owner - C:\WINDOWS\Qtime.exe
Scan du fichier :
Attention cette infection patche le fichier tcpip.sys qui est un driver légitime.File Qtimes.exe received on 02.03.2008 22:38:43 (CET)
Current status: finished
Result: 21/32 (65.62%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.3.10 2008.02.02 -
AntiVir 7.6.0.61 2008.02.01 HEUR/Crypted
Authentium 4.93.8 2008.02.03 -
Avast 4.7.1098.0 2008.02.03 -
AVG 7.5.0.516 2008.02.03 -
BitDefender 7.2 2008.02.03 GenPack:Generic.Malware.I!FDBg.0DC073CC
CAT-QuickHeal 9.00 2008.02.01 (Suspicious) - DNAScan
ClamAV 0.92 2008.02.03 PUA.Packed.NPack-1
DrWeb 4.44.0.09170 2008.02.03 BackDoor.IRC.Sdbot.origin
eSafe 7.0.15.0 2008.01.28 Suspicious File
eTrust-Vet 31.3.5504 2008.02.01 -
Ewido 4.0 2008.02.03 -
FileAdvisor 1 2008.02.03 -
Fortinet 3.14.0.0 2008.02.03 -
F-Prot 4.4.2.54 2008.02.02 W32/Heuristic-114!Eldorado
F-Secure 6.70.13260.0 2008.02.03 W32/Malware
Ikarus T3.1.1.20 2008.02.03 Virus.Win32.Virut.n
Kaspersky 7.0.0.125 2008.02.03 Backdoor.Win32.SdBot.aad
McAfee 5221 2008.02.01 New Malware.eb
Microsoft 1.3204 2008.02.03 Backdoor:Win32/Sdbot.gen!A
NOD32v2 2845 2008.02.02 probably a variant of IRC/SdBot
Norman 5.80.02 2008.02.01 W32/Malware
Panda 9.0.0.4 2008.02.03 Suspicious file
Prevx1 V2 2008.02.03 Generic.Malware
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.03 Mal/IRCBot-B
Sunbelt 2.2.907.0 2008.02.02 VIPRE.Suspicious
Symantec 10 2008.02.03 -
TheHacker 6.2.9.207 2008.02.03 -
VBA32 3.12.6.0 2008.02.03 suspected of Malware.Agent.23 (paranoid heuristics)
VirusBuster 4.3.26:9 2008.02.03 Packed/nPack
Webwasher-Gateway 6.6.2 2008.02.03 Heuristic.Crypted
Additional information
File size: 40960 bytes
MD5: 210ad4e5f821301f8db094e29eba0b6b
SHA1: bd6de4b03bd39dd8e3ffc9c4e62d8b447e719cfe
PEiD: nPack 1.1.300.2006 Beta -> NEOx
packers: NPack
packers: NPack
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [email protected] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* **Locates window \"Unr3413.2(phr0stic-modd) [class NULL]\" on desktop.
* **Locates window \"Unreal3.2 Modded By LyR [class NULL]\" on desktop.
* **Locates window \"Unreal3.2.2b [class NULL]\" on desktop.
* **Locates window \"Unreal3.2-beta19 [class NULL]\" on desktop.
* **Locates window \"NULL [class MSNHiddenWindowClass]\" on desktop.
* File length: 40960 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\Qtime.exe.
* Deletes file c:\sample.exe.
[ Changes to registry ]
* Creates key \"HKLM\Software\\Microsoft\\Windows\".
* Sets value \"e45bv\"=\"c:\sample.exe\" in key \"HKLM\Software\\Microsoft\\Windows\".
* Creates key \"HKLM\System\CurrentControlSet\Services\CD-ROM drive \".
* Sets value \"ImagePath\"=\"\"C:\WINDOWS\Qtime.exe\"\" in key \"HKLM\System\CurrentControlSet\Services\CD-ROM drive \".
* Sets value \"DisplayName\"=\"CD-ROM drive \" in key \"HKLM\System\CurrentControlSet\Services\CD-ROM drive \".
* Deletes value \"e45bv\" in key \"HKLM\Software\\Microsoft\\Windows\".
* Sets value \" tye5yg\"=\"4/17/2006, 8:21 PM\" in key \"HKLM\Software\\Microsoft\\Windows\".
* Sets value \"WaitToKillServiceTimeout\"=\"7000\" in key \"HKLM\System\CurrentControlSet\Control\".
* Creates key \"HKLM\Software\Symantec\LiveUpdate Admin\".
* Sets value \"Enterprise Security Manager\"=\"\" in key \"HKLM\Software\Symantec\LiveUpdate Admin\".
* Sets value \"Intruder Alert\"=\"\" in key \"HKLM\Software\Symantec\LiveUpdate Admin\".
* Sets value \"LiveAdvisor\"=\"\" in key \"HKLM\Software\Symantec\LiveUpdate Admin\".
* Sets value \"LiveUpdate\"=\"\" in key \"HKLM\Software\Symantec\LiveUpdate Admin\".
* Sets value \"Norton AntiVirus Product Updates\"=\"\" in key \"HKLM\Software\Symantec\LiveUpdate Admin\".
* Sets value \"Norton AntiVirus Virus Definitions\"=\"\" in key \"HKLM\Software\Symantec\LiveUpdate Admin\".
File tcpip.sys received on 02.04.2008 18:11:31 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/32 (3.13%)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.4.10 2008.02.04 -
AntiVir 7.6.0.62 2008.02.04 -
Authentium 4.93.8 2008.02.04 -
Avast 4.7.1098.0 2008.02.03 -
AVG 7.5.0.516 2008.02.04 -
BitDefender 7.2 2008.02.04 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.04 -
DrWeb 4.44.0.09170 2008.02.04 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5509 2008.02.04 -
Ewido 4.0 2008.02.04 -
FileAdvisor 1 2008.02.04 -
Fortinet 3.14.0.0 2008.02.04 -
F-Prot 4.4.2.54 2008.02.03 -
F-Secure 6.70.13260.0 2008.02.04 -
Ikarus T3.1.1.20 2008.02.04 Win32.SuspectCrc
Kaspersky 7.0.0.125 2008.02.04 -
McAfee 5221 2008.02.01 -
Microsoft 1.3204 2008.02.04 -
NOD32v2 2847 2008.02.04 -
Norman 5.80.02 2008.02.01 -
Panda 9.0.0.4 2008.02.04 -
Prevx1 V2 2008.02.04 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.04 -
Sunbelt 2.2.907.0 2008.02.02 -
Symantec 10 2008.02.04 -
TheHacker 6.2.9.208 2008.02.04 -
VBA32 3.12.6.0 2008.02.03 -
VirusBuster 4.3.26:9 2008.02.04 -
Webwasher-Gateway 6.6.2 2008.02.04 -
Additional information
File size: 359040 bytes
MD5: 3bb4b08619c111c7be8bda07aa0de6a2
SHA1: 1de616582af6a5c8ca562aa434923776a7820884