pc infecté par virtumonde

Question

bonjour, je viens de m'inscrire sur le site pour trouver des solutions à une infection par virtumonde.j'ai vu des remarques et des commentaires sur ce virus et j'ai essayé de l'erradiquer, avec vundo...etc...mais envain.j'espère donc trouver une solution auprès des surdoués de l'informatique sur ce site.
merci d'avance.

Lyonnais92 · Answer

Bonjour,

Télécharge HijackThis ici: 
https://www.01net.com/telecharger/windows/Securite/anti-spyware/fiches/29061.html 

Dézippe le dans un dossier prévu à cet effet. 
Par exemple C:\hijackthis < Enregistre le bien dans c : ! 
Démo : (Merci a Balltrap34 pour cette réalisation) 
http://perso.orange.fr/rginformatique/section%20virus/Hijenr.gif

Lance le puis: 
clique sur "do a system scan and save logfile" (cf démo) 
faire un copier coller du log entier sur le forum 

Démo : (Merci a Balltrap34 pour cette réalisation) 

http://perso.orange.fr/rginformatique/section%20virus/demohijack.htm 

Télécharge VundoFix.exe (par Atribune) sur ton Bureau. 
http://www.atribune.org/ccount/click.php?id=4 
Double-clique VundoFix.exe afin de le lancer. 

Clique sur le bouton Scan for Vundo. 
Lorsque le scan est complété, clique sur le bouton Remove Vundo. 
Une invite te demandera si tu veux supprimer les fichiers, clique YES 
Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers. 
Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown") ; clique OK 
Démarre ton PC à nouveau. 

à+

Lyonnais92 · Answer

Re,

je ne vois pas hijackthis.
@+

inconico · Answer

re,
tu ne vois pas hijackthis? tu ne vois pas le rapport?peux tu m'éclairer?
merci 
a+

Lyonnais92 · Answer

re,

OK, je vais être pluus clair, 

donne la référence du post où le helper t'a fait renommer Hgijackthis.exe en vundoscan.exe.

@+

Lyonnais92 · Answer

re,

dans ton premier log hijackthis, je lis ça :

C:\WINDOWS\system32\rundll32.exe 
C:\Documents and Settings\vundoscan.exe 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr 

Je veux que tu me dises qui t'a demandé de renommer Hijackthis.exe en vundoscan.ecxe et la référence (l'url)de ce traitement.

@+

Lyonnais92 · Answer

Re,

désinstalle Command Conquer 3 Tiberium Wars  et FlashGet.

Je n'ai pas eu le rapport de Vundofix. Mets le dans ta réponse avec un nouveau log Hijackthis.

@+

inconico · Answer

bonjour,
j'ai supprimé command conquer et flasget, puis lancé vundofix, celui-ci n'a rien détecté, ci dessous le rapport,
merci 

Logfile of HijackThis v1.99.1
Scan saved at 08:01:41, on 25/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Eset
od32krn.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Eset
od32kui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~3apimgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32undll32.exe
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0233D1D6-E00D-4C45-BF14-485759765168} - C:\WINDOWS\system32\yayywwu.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C08621B-321A-4AE6-9771-6BF96C9FDA09} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {260C7507-52FB-451A-B3D9-42D194BE7ECD} - (no file)
O2 - BHO: (no name) - {28E44312-08D8-4531-94A1-DB35E891D59B} - C:\WINDOWS\system32\jkkli.dll
O2 - BHO: (no name) - {2EDB63B7-7432-42B8-B484-B7DE2779F848} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\yejagkds.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B817A4B5-E3A1-46AE-9340-5448A8AC3033} - C:\WINDOWS\system32\jkkji.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] :C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe"  -osboot
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
od32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P 2006] Command  Conquer 3 Tiberium Wars
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] Command  Conquer 3 Tiberium Wars Kane Edition
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\cijryljx.dll",realset
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (file missing)
O20 - Winlogon Notify: ddccc - C:\WINDOWS\
O20 - Winlogon Notify: jkkji - C:\WINDOWS\
O20 - Winlogon Notify: jkkli - C:\WINDOWS\
O20 - Winlogon Notify: mljjg - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: yayywwu - C:\WINDOWS\SYSTEM32\yayywwu.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset
od32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

Lyonnais92 · Answer

Bonjour,


puis lancé vundofix, celui-ci n'a rien détecté

Où est le rapport ?

Télécharge VirtumundoBegone sur le bureau: 
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe 

Double clique ensuite sur VirtumundoBeGone.exe et suis les instructions. 
Une fois terminé, redémarre et poste le rapport VBG.TXT créé sur le bureau dans ta prochaine réponse avec un nouveau rapport HijackThis. 
Ne t'inquiète pas si tu vois un message Ecran bleu "Erreur fatale", c'est normal et attendu 
@+

inconico · Answer

re,merci pour les conseils, je ne sais pas si j'ai bien fait l'analyse avec virtumondobegone, 
voici le rapport 


[05/25/2007, 19:26:06] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings
icolas\Bureau\VirtumundoBeGone.exe" )
[05/25/2007, 19:26:12] - Detected System Information:
[05/25/2007, 19:26:12] -  Windows Version: 5.1.2600, Service Pack 2
[05/25/2007, 19:26:12] -  Current Username: nicolas (Admin)
[05/25/2007, 19:26:12] -  Windows is in NORMAL mode.
[05/25/2007, 19:26:12] - Searching for Browser Helper Objects:
[05/25/2007, 19:26:12] -  BHO 1: {0233D1D6-E00D-4C45-BF14-485759765168} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  Checking for HKLM\...\Winlogon\Notify\yayywwu
[05/25/2007, 19:26:12] -  Found: HKLM\...\Winlogon\Notify\yayywwu - This is probably Virtumundo.
[05/25/2007, 19:26:12] -  Assigning {0233D1D6-E00D-4C45-BF14-485759765168} MSEvents Object
[05/25/2007, 19:26:12] - BHO list has been changed! Starting over...
[05/25/2007, 19:26:12] -  BHO 1: {0233D1D6-E00D-4C45-BF14-485759765168} (MSEvents Object)
[05/25/2007, 19:26:12] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:12] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/25/2007, 19:26:12] -  BHO 3: {0C08621B-321A-4AE6-9771-6BF96C9FDA09} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  Checking for HKLM\...\Winlogon\Notify\ssqpo
[05/25/2007, 19:26:12] -  Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[05/25/2007, 19:26:12] -  BHO 4: {260C7507-52FB-451A-B3D9-42D194BE7ECD} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  No filename found. Continuing.
[05/25/2007, 19:26:12] -  BHO 5: {28E44312-08D8-4531-94A1-DB35E891D59B} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  Checking for HKLM\...\Winlogon\Notify\jkkli
[05/25/2007, 19:26:12] -  Found: HKLM\...\Winlogon\Notify\jkkli - This is probably Virtumundo.
[05/25/2007, 19:26:12] -  Assigning {28E44312-08D8-4531-94A1-DB35E891D59B} MSEvents Object
[05/25/2007, 19:26:12] - BHO list has been changed! Starting over...
[05/25/2007, 19:26:12] -  BHO 1: {0233D1D6-E00D-4C45-BF14-485759765168} (MSEvents Object)
[05/25/2007, 19:26:12] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:12] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/25/2007, 19:26:12] -  BHO 3: {0C08621B-321A-4AE6-9771-6BF96C9FDA09} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  Checking for HKLM\...\Winlogon\Notify\ssqpo
[05/25/2007, 19:26:12] -  Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[05/25/2007, 19:26:12] -  BHO 4: {260C7507-52FB-451A-B3D9-42D194BE7ECD} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  No filename found. Continuing.
[05/25/2007, 19:26:12] -  BHO 5: {28E44312-08D8-4531-94A1-DB35E891D59B} (MSEvents Object)
[05/25/2007, 19:26:12] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:12] -  BHO 6: {2EDB63B7-7432-42B8-B484-B7DE2779F848} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  No filename found. Continuing.
[05/25/2007, 19:26:12] -  BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/25/2007, 19:26:12] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/25/2007, 19:26:12] -  BHO 8: {55DB983C-BDBF-426f-86F0-187B02DDA39B} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  Checking for HKLM\...\Winlogon\Notify\yejagkds
[05/25/2007, 19:26:12] -  Key not found: HKLM\...\Winlogon\Notify\yejagkds, continuing.
[05/25/2007, 19:26:12] -  BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/25/2007, 19:26:12] -  BHO 10: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  No filename found. Continuing.
[05/25/2007, 19:26:12] -  BHO 11: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/25/2007, 19:26:12] -  BHO 12: {B817A4B5-E3A1-46AE-9340-5448A8AC3033} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  Checking for HKLM\...\Winlogon\Notify\jkkji
[05/25/2007, 19:26:12] -  Found: HKLM\...\Winlogon\Notify\jkkji - This is probably Virtumundo.
[05/25/2007, 19:26:12] -  Assigning {B817A4B5-E3A1-46AE-9340-5448A8AC3033} MSEvents Object
[05/25/2007, 19:26:12] - BHO list has been changed! Starting over...
[05/25/2007, 19:26:12] -  BHO 1: {0233D1D6-E00D-4C45-BF14-485759765168} (MSEvents Object)
[05/25/2007, 19:26:12] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:12] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/25/2007, 19:26:12] -  BHO 3: {0C08621B-321A-4AE6-9771-6BF96C9FDA09} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  Checking for HKLM\...\Winlogon\Notify\ssqpo
[05/25/2007, 19:26:12] -  Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[05/25/2007, 19:26:12] -  BHO 4: {260C7507-52FB-451A-B3D9-42D194BE7ECD} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  No filename found. Continuing.
[05/25/2007, 19:26:12] -  BHO 5: {28E44312-08D8-4531-94A1-DB35E891D59B} (MSEvents Object)
[05/25/2007, 19:26:12] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:12] -  BHO 6: {2EDB63B7-7432-42B8-B484-B7DE2779F848} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:12] -  No filename found. Continuing.
[05/25/2007, 19:26:12] -  BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/25/2007, 19:26:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:13] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/25/2007, 19:26:13] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/25/2007, 19:26:13] -  BHO 8: {55DB983C-BDBF-426f-86F0-187B02DDA39B} ()
[05/25/2007, 19:26:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:13] -  Checking for HKLM\...\Winlogon\Notify\yejagkds
[05/25/2007, 19:26:13] -  Key not found: HKLM\...\Winlogon\Notify\yejagkds, continuing.
[05/25/2007, 19:26:13] -  BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/25/2007, 19:26:13] -  BHO 10: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/25/2007, 19:26:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:13] -  No filename found. Continuing.
[05/25/2007, 19:26:13] -  BHO 11: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/25/2007, 19:26:13] -  BHO 12: {B817A4B5-E3A1-46AE-9340-5448A8AC3033} (MSEvents Object)
[05/25/2007, 19:26:13] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:13] - Finished Searching Browser Helper Objects
[05/25/2007, 19:26:13] - *** Detected MSEvents Object
[05/25/2007, 19:26:13] - Trying to remove MSEvents Object...
[05/25/2007, 19:26:14] -    Terminating Process: IEXPLORE.EXE
[05/25/2007, 19:26:14] -    Terminating Process: RUNDLL32.EXE
[05/25/2007, 19:26:14] -    Disabling Automatic Shell Restart
[05/25/2007, 19:26:14] -    Terminating Process: EXPLORER.EXE
[05/25/2007, 19:26:14] -    Suspending the NT Session Manager System Service
[05/25/2007, 19:26:14] -    Terminating Windows NT Logon/Logoff Manager
[05/25/2007, 19:26:15] -    Re-enabling Automatic Shell Restart
[05/25/2007, 19:26:15] -   File to disable: C:\WINDOWS\system32\yayywwu.dll
[05/25/2007, 19:26:15] -  Renaming C:\WINDOWS\system32\yayywwu.dll -> C:\WINDOWS\system32\yayywwu.dll.vir
[05/25/2007, 19:26:15] -  File successfully renamed!
[05/25/2007, 19:26:15] -   Removing HKLM\...\Browser Helper Objects\{0233D1D6-E00D-4C45-BF14-485759765168}
[05/25/2007, 19:26:15] -   Removing HKCR\CLSID\{0233D1D6-E00D-4C45-BF14-485759765168}
[05/25/2007, 19:26:15] -   Adding Kill Bit for ActiveX for GUID: {0233D1D6-E00D-4C45-BF14-485759765168}
[05/25/2007, 19:26:15] -   Deleting ATLEvents/MSEvents Registry entries
[05/25/2007, 19:26:15] -   Removing HKLM\...\Winlogon\Notify\yayywwu
[05/25/2007, 19:26:15] - Searching for Browser Helper Objects:
[05/25/2007, 19:26:15] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/25/2007, 19:26:15] -  BHO 2: {0C08621B-321A-4AE6-9771-6BF96C9FDA09} ()
[05/25/2007, 19:26:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:15] -  Checking for HKLM\...\Winlogon\Notify\ssqpo
[05/25/2007, 19:26:15] -  Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[05/25/2007, 19:26:15] -  BHO 3: {260C7507-52FB-451A-B3D9-42D194BE7ECD} ()
[05/25/2007, 19:26:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:15] -  No filename found. Continuing.
[05/25/2007, 19:26:15] -  BHO 4: {28E44312-08D8-4531-94A1-DB35E891D59B} (MSEvents Object)
[05/25/2007, 19:26:15] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:15] -  BHO 5: {2EDB63B7-7432-42B8-B484-B7DE2779F848} ()
[05/25/2007, 19:26:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:15] -  No filename found. Continuing.
[05/25/2007, 19:26:15] -  BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/25/2007, 19:26:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:15] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/25/2007, 19:26:15] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/25/2007, 19:26:15] -  BHO 7: {55DB983C-BDBF-426f-86F0-187B02DDA39B} ()
[05/25/2007, 19:26:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:15] -  Checking for HKLM\...\Winlogon\Notify\yejagkds
[05/25/2007, 19:26:15] -  Key not found: HKLM\...\Winlogon\Notify\yejagkds, continuing.
[05/25/2007, 19:26:15] -  BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/25/2007, 19:26:15] -  BHO 9: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/25/2007, 19:26:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:15] -  No filename found. Continuing.
[05/25/2007, 19:26:15] -  BHO 10: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/25/2007, 19:26:15] -  BHO 11: {B817A4B5-E3A1-46AE-9340-5448A8AC3033} (MSEvents Object)
[05/25/2007, 19:26:15] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:15] - Finished Searching Browser Helper Objects
[05/25/2007, 19:26:15] - *** Detected MSEvents Object
[05/25/2007, 19:26:15] - Trying to remove MSEvents Object...
[05/25/2007, 19:26:16] -    Terminating Process: IEXPLORE.EXE
[05/25/2007, 19:26:17] -    Terminating Process: RUNDLL32.EXE
[05/25/2007, 19:26:17] -    Disabling Automatic Shell Restart
[05/25/2007, 19:26:17] -    Terminating Process: EXPLORER.EXE
[05/25/2007, 19:26:17] -    Suspending the NT Session Manager System Service
[05/25/2007, 19:26:17] -    Terminating Windows NT Logon/Logoff Manager
[05/25/2007, 19:26:17] -    Re-enabling Automatic Shell Restart
[05/25/2007, 19:26:17] -   File to disable: C:\WINDOWS\system32\jkkli.dll
[05/25/2007, 19:26:17] -   Removing HKLM\...\Browser Helper Objects\{28E44312-08D8-4531-94A1-DB35E891D59B}
[05/25/2007, 19:26:17] -   Removing HKCR\CLSID\{28E44312-08D8-4531-94A1-DB35E891D59B}
[05/25/2007, 19:26:17] -   Adding Kill Bit for ActiveX for GUID: {28E44312-08D8-4531-94A1-DB35E891D59B}
[05/25/2007, 19:26:17] -   Deleting ATLEvents/MSEvents Registry entries
[05/25/2007, 19:26:17] -   Removing HKLM\...\Winlogon\Notify\jkkli
[05/25/2007, 19:26:17] - Searching for Browser Helper Objects:
[05/25/2007, 19:26:17] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/25/2007, 19:26:17] -  BHO 2: {0C08621B-321A-4AE6-9771-6BF96C9FDA09} ()
[05/25/2007, 19:26:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:17] -  Checking for HKLM\...\Winlogon\Notify\ssqpo
[05/25/2007, 19:26:17] -  Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[05/25/2007, 19:26:17] -  BHO 3: {260C7507-52FB-451A-B3D9-42D194BE7ECD} ()
[05/25/2007, 19:26:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:17] -  No filename found. Continuing.
[05/25/2007, 19:26:17] -  BHO 4: {2EDB63B7-7432-42B8-B484-B7DE2779F848} ()
[05/25/2007, 19:26:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:17] -  No filename found. Continuing.
[05/25/2007, 19:26:17] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/25/2007, 19:26:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:17] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/25/2007, 19:26:17] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/25/2007, 19:26:17] -  BHO 6: {55DB983C-BDBF-426f-86F0-187B02DDA39B} ()
[05/25/2007, 19:26:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:17] -  Checking for HKLM\...\Winlogon\Notify\yejagkds
[05/25/2007, 19:26:17] -  Key not found: HKLM\...\Winlogon\Notify\yejagkds, continuing.
[05/25/2007, 19:26:17] -  BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/25/2007, 19:26:17] -  BHO 8: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/25/2007, 19:26:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:17] -  No filename found. Continuing.
[05/25/2007, 19:26:17] -  BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/25/2007, 19:26:17] -  BHO 10: {B817A4B5-E3A1-46AE-9340-5448A8AC3033} (MSEvents Object)
[05/25/2007, 19:26:17] - ALERT: Found MSEvents Object!
[05/25/2007, 19:26:17] - Finished Searching Browser Helper Objects
[05/25/2007, 19:26:17] - *** Detected MSEvents Object
[05/25/2007, 19:26:17] - Trying to remove MSEvents Object...
[05/25/2007, 19:26:18] -    Terminating Process: IEXPLORE.EXE
[05/25/2007, 19:26:19] -    Terminating Process: RUNDLL32.EXE
[05/25/2007, 19:26:19] -    Disabling Automatic Shell Restart
[05/25/2007, 19:26:19] -    Terminating Process: EXPLORER.EXE
[05/25/2007, 19:26:19] -    Suspending the NT Session Manager System Service
[05/25/2007, 19:26:19] -    Terminating Windows NT Logon/Logoff Manager
[05/25/2007, 19:26:19] -    Re-enabling Automatic Shell Restart
[05/25/2007, 19:26:19] -   File to disable: C:\WINDOWS\system32\jkkji.dll
[05/25/2007, 19:26:19] -   Removing HKLM\...\Browser Helper Objects\{B817A4B5-E3A1-46AE-9340-5448A8AC3033}
[05/25/2007, 19:26:19] -   Removing HKCR\CLSID\{B817A4B5-E3A1-46AE-9340-5448A8AC3033}
[05/25/2007, 19:26:19] -   Adding Kill Bit for ActiveX for GUID: {B817A4B5-E3A1-46AE-9340-5448A8AC3033}
[05/25/2007, 19:26:19] -   Deleting ATLEvents/MSEvents Registry entries
[05/25/2007, 19:26:19] -   Removing HKLM\...\Winlogon\Notify\jkkji
[05/25/2007, 19:26:19] - Searching for Browser Helper Objects:
[05/25/2007, 19:26:19] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/25/2007, 19:26:19] -  BHO 2: {0C08621B-321A-4AE6-9771-6BF96C9FDA09} ()
[05/25/2007, 19:26:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:19] -  Checking for HKLM\...\Winlogon\Notify\ssqpo
[05/25/2007, 19:26:19] -  Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[05/25/2007, 19:26:19] -  BHO 3: {260C7507-52FB-451A-B3D9-42D194BE7ECD} ()
[05/25/2007, 19:26:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:19] -  No filename found. Continuing.
[05/25/2007, 19:26:19] -  BHO 4: {2EDB63B7-7432-42B8-B484-B7DE2779F848} ()
[05/25/2007, 19:26:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:19] -  No filename found. Continuing.
[05/25/2007, 19:26:19] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/25/2007, 19:26:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:19] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/25/2007, 19:26:19] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/25/2007, 19:26:19] -  BHO 6: {55DB983C-BDBF-426f-86F0-187B02DDA39B} ()
[05/25/2007, 19:26:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:19] -  Checking for HKLM\...\Winlogon\Notify\yejagkds
[05/25/2007, 19:26:19] -  Key not found: HKLM\...\Winlogon\Notify\yejagkds, continuing.
[05/25/2007, 19:26:19] -  BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/25/2007, 19:26:19] -  BHO 8: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/25/2007, 19:26:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:26:19] -  No filename found. Continuing.
[05/25/2007, 19:26:19] -  BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/25/2007, 19:26:19] - Finished Searching Browser Helper Objects
[05/25/2007, 19:26:19] - Finishing up...
[05/25/2007, 19:26:19] - A restart is needed.
[05/25/2007, 19:26:28] - Attempting to Restart via STOP error (Blue Screen!)

[05/25/2007, 19:48:11] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings
icolas\Bureau\VirtumundoBeGone.exe" )
[05/25/2007, 19:48:26] - Detected System Information:
[05/25/2007, 19:48:26] -  Windows Version: 5.1.2600, Service Pack 2
[05/25/2007, 19:48:26] -  Current Username: nicolas (Admin)
[05/25/2007, 19:48:26] -  Windows is in NORMAL mode.
[05/25/2007, 19:48:26] - Searching for Browser Helper Objects:
[05/25/2007, 19:48:26] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/25/2007, 19:48:26] -  BHO 2: {0C08621B-321A-4AE6-9771-6BF96C9FDA09} ()
[05/25/2007, 19:48:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:48:26] -  Checking for HKLM\...\Winlogon\Notify\ssqpo
[05/25/2007, 19:48:26] -  Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[05/25/2007, 19:48:26] -  BHO 3: {260C7507-52FB-451A-B3D9-42D194BE7ECD} ()
[05/25/2007, 19:48:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:48:26] -  No filename found. Continuing.
[05/25/2007, 19:48:26] -  BHO 4: {2EDB63B7-7432-42B8-B484-B7DE2779F848} ()
[05/25/2007, 19:48:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:48:26] -  No filename found. Continuing.
[05/25/2007, 19:48:26] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/25/2007, 19:48:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:48:26] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/25/2007, 19:48:26] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/25/2007, 19:48:26] -  BHO 6: {55DB983C-BDBF-426f-86F0-187B02DDA39B} ()
[05/25/2007, 19:48:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:48:26] -  Checking for HKLM\...\Winlogon\Notify\yejagkds
[05/25/2007, 19:48:26] -  Key not found: HKLM\...\Winlogon\Notify\yejagkds, continuing.
[05/25/2007, 19:48:26] -  BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/25/2007, 19:48:26] -  BHO 8: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/25/2007, 19:48:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2007, 19:48:26] -  No filename found. Continuing.
[05/25/2007, 19:48:26] -  BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/25/2007, 19:48:26] - Finished Searching Browser Helper Objects
[05/25/2007, 19:48:26] - Finishing up...
[05/25/2007, 19:48:26] - Nothing found! Exiting...

ainsi que le rapport de hyjackthis:

Logfile of HijackThis v1.99.1
Scan saved at 19:58:41, on 25/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset
od32krn.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Eset
od32kui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\MICROS~3apimgr.exe
C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C08621B-321A-4AE6-9771-6BF96C9FDA09} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {260C7507-52FB-451A-B3D9-42D194BE7ECD} - (no file)
O2 - BHO: (no name) - {2EDB63B7-7432-42B8-B484-B7DE2779F848} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\yejagkds.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] :C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe"  -osboot
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
od32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P 2006] Command  Conquer 3 Tiberium Wars
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] Command  Conquer 3 Tiberium Wars Kane Edition
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\cijryljx.dll",realset
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (file missing)
O20 - Winlogon Notify: ddccc - C:\WINDOWS\
O20 - Winlogon Notify: mljjg - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset
od32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

merci encore

Lyonnais92 · Answer

Re,

relance hijackthis, choisis do a scan only.

coche la case devant ces lignes :

O2 - BHO: (no name) - {0C08621B-321A-4AE6-9771-6BF96C9FDA09} - C:\WINDOWS\system32\ssqpo.dll (file missing)  
O2 - BHO: (no name) - {260C7507-52FB-451A-B3D9-42D194BE7ECD} - (no file)  
O2 - BHO: (no name) - {2EDB63B7-7432-42B8-B484-B7DE2779F848} - (no file) 
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P 2006] Command Conquer 3 Tiberium Wars  
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] Command Conquer 3 Tiberium Wars Kane Edition 
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (file missing)  
O20 - Winlogon Notify: ddccc - C:\WINDOWS\  
 O20 - Winlogon Notify: mljjg - C:\WINDOWS\ 


Ferme toutes les fenêtres actives et clique sur fix checked.

Ferme Hijackthis.

Relance Vundofix et poste le log.

remats aussi un log Hijackthis.
@+

alexplorer · Answer

Bonjour, je me glisse vite fait dans la convers...
Juste que j'ai été infecté par virtumonde ya peu de temps et grace à VirtumundoBegone (lien donné plus haut par lyonnais92) j'ai pu l'eradiquer.
Voili voilou bon courage.

Lyonnais92 · Answer

Bonjour,

Poste le log de Vundofix.

@+

Lyonnais92 · Answer

Bonjour,

is it necessary that I speak english ?

post 16 Poste le log de Vundofix.
post 17 VirtumundoBeGone v1.5

J'attends le post de Vundofix.
@+

Lyonnais92 · Answer

Re,

1) Regarde si tu as ce fichier : C:\vundofix.txt . Sinon cherche avec la fonction rechercher de Windows.

Pour le copier-coller, ouvre le avec le bloc-notes (notepad).

2) Tu ne sembles pas avoir de parefeu (sauf si NOD32 a cette fonction sans qu'elle transparaise dans le log). Ouvre ce lien et télécharge et configure kerio (gratuit même aperès la période d'essai) :

http://kerio.probb.fr/Systemesd-exploitation-c1/Logiciels-et-tutoriels-gratuits-tries-par-categorie-f6/Tutoriel-pour-Kerio-4-version-gratuite-t201.htm

3) Double-clique VundoFix.exe afin de le lancer. 

Fais un clic droit dans la fenêtre blanche et clique "Add more files?" 

Dans la nouvelle fenêtre qui apparait, Copie/colle le chemin du fichier suivant dans la première case (au haut): 


C:\WINDOWS\system32\yejagkds.dll 


Clique sur le bouton "Add File(s)" 

Clique sur le bouton "Close Window". 

Clique à nouveau sur "Remove Vundo" 

Une invite te demandera si tu veux supprimer les fichiers, clique YES 

Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers. 

Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown"); clique OK 

4) remets un log Hijackthis

@+

Lyonnais92 · Answer

Bonjour,

OK, c'était bien ça.

remets un log Hijackthis.
@+

inconico · Answer

re, 
ci joint le log:

Logfile of HijackThis v1.99.1
Scan saved at 08:13:58, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Eset
od32krn.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Eset
od32kui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\MICROS~3apimgr.exe
C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\yejagkds.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] :C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe"  -osboot
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
od32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\cijryljx.dll",realset
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset
od32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

Lyonnais92 · Answer

Bonjour,

Relance HijackThis.

Choisis Do a scan only

Coche la case devant les lignes suivantes 

O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\yejagkds.dll
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\cijryljx.dll",realset

Ferme toutes les fenêtres (hormis HijackThis), y compris ton navigateur.

Clique sur fix checked.

Ferme Hijackthis.

Double-clique VundoFix.exe afin de le lancer 
NE clique PAS sur le bouton Scan for Vundo 
Clique Droit dans la fenêtre blanche, choisis Add more files ? 
Rajoute dans la première ligne : 
C:\WINDOWS\system32\yejagkds.dll
Dans la deuxième ligne : 
C:\WINDOWS\system32\cijryljx.dll


Clique successivement sur : 
- Add Files 
- Close Windows 
- Remove Vundo 


Si l'outil te demande de redémarrer, accepte. 
Copie/Colle ensuite le rapport C:\vundofix.txt 

Si tu ne trouves pas le 2ème fichier, tu continues.

remets un nouveau log Hijackthis.
@+

Lyonnais92 · Answer

Bonsoir,

on va supprimer les vieilles versions de java.

Démarrer, panneau de configuration, Ajout/suppression de programmes.

Cherche java Run time environment;

Supprimmes les vieilles versions ( Java version is 1.4.2.5 
Java version is 1.5.0.6 
Java version is 1.5.0.9 
Java version is 1.5.0.10 
Java version is 1.5.0.11 ).

redémarre l'ordi et remets un log Hijackthis.
@+

Lyonnais92 · Answer

Bonsoir,

désolé de t'avoir un peu zappé, mais ton log est propre et je suis un peu bousculé.

par contre, tu n'as pas de parefeu. Ouvre ce lien télécharge et configure Kerio

http://kerio.probb.fr/Systemesd-exploitation-c1/Logiciels-et-tutoriels-gratuits-tries-par-categorie-f6/Tutoriel-pour-Kerio-4-version-gratuite-t201.htm

@+

Lyonnais92 · Answer

Re,

de rien, par contre, j'aimerai bien avoir un log Hijackthis avec Kerio;
@+

Lyonnais92 · Answer

Bonjour,

le log est propre.

A moins que tu ais des soucis, ce problème me semble résolu.
@+

inconico · Answer

bonsoir,

j'ai lancé un scan avec spywar doctor, et lorsque je suis revenu, je vois MISSING OPERATING SYSTEM!!
je relance mon pc et cela recommence

peux tu m'aider?

merci

Lyonnais92 · Answer

Bonjour,

peux tu être précis sur ce qui se passe.

Tu lances le pc, le bios démarre, ensuite ?

@+

inconico · Answer

re,
le bios se lance mais après plus rien , ecran noir 
boot cd
et le message juste après.

rien ne se passe...

salwa5 · Answer

bonsoir as tu le cd windows xp? si c le cas essay de reparer windows ensuivant les indications de ce site 

http://www.informatruc.com/reparer-windows-xp-2 

a+++

Lyonnais92 · Answer

Bonsoir,

salwa, merci de ton intervention.

inconico, suis les priopositions de salwa comme tu as suivi les miennes.

De toute manière, je vais continuer à suivre le post.
@+

Momor · Answer

Bonjour,

Moi aussi j'ai été infecté par "virtumundo". Après avoir tenté de mon propre chef une analyse Bit-Defender en ligne et un scan Spybot, la sale bête était toujours présente.
J'ai donc suivi la procédure décrite par Lyonnais92:

1) Scan AVG pour bien confirmer que virtumundo est là (et il a l'air de s'y plaire!!!)
2) HijackThis
3) Vundofix, qui a trouvé quelque chose et l'a supprimé
4) Redémarrage et plantage en règle.
5) Nouveau redémarrage et tout à l'air de marcher
6) Scan AVG pour être sûr....Pas de problèmes détectés!!! Victoire!!

Ma question arrive maintenant:

J'ai refait un scan avec HijackThis, et j'ai remarquer certaines lignes où apparaissent des DLL qui (il me semble) avaient été supprimées par Vundofix. Sachant qu'apparemment  tout va bien, est-il nécessaire de supprimer ces entrées? d'ailleurs est-ce bien les DLL infectées par virtumundo?

J'ai bien sûr sauvegarder les rapports de AVG et HijackThis avant et après la suppression, et peut par conséquent vous les communiquer si nécessaire.

Merci beaucoup de votre aide, et de vos conseils.

Lyonnais92 · Answer

Bonsoir momor,
Il serait préférable que tu fasses ton message personnel, cela rendra les postes plus compréhensibles et la réponse à ton problème sera plus efficace 
Procèdes comme ceci : 
 

http://perso.orange.fr/rginformatique/section%20virus/demofairesontmessage.htm 
Bonne suite.

salwa5 · Answer

ree :) il me semble que sur ce site http://www.cybersolus.net/windows/cdxp/creer_un_vrai_cd_de_windows-xp-01.htm  , il t'explique comment transformé  un cd de restauration en cd d'instalation windows xp   donc t'as pas besoin du dossier  i386 ?? 

a+++

salwa5 · Answer

franchement je ne sais pas ce qui cloche :/ 
. essay de te procuerer un cd windows xp ( de chez un ami par exemple) ensuite repare windows ensuivant les methode ce site  http://www.cybersolus.net/windows/windows_xp/faq/reparer_windows_xp01.html

ps : ca peu marcher avec n'importe quelle cd windows xp 

a++

Pc infecté par virtumonde

30 réponses

Votre réponse

Newsletters