Khffccc.dll Impossible a supprimé

Résolu
Hermos Messages postés 59 Statut Membre -  
ep44 Messages postés 7415 Date d'inscription   Statut Contributeur Dernière intervention   -
Bonjour,
je suis infecté par ce virus depuis quelque jours , et je n'arrive pas a le supprimé de mon pc il se localise dans C:\WINDOWS\system32\khffccc.dll , j'ai NOD32 comme anti-virus et il le détecte 1/3 quand après le redémarrage du pc .il me propose de redémarrer pour terminé la suppression c fait mais le virus est toujours la dans le même répertoire je n'arrive pas a le supprimé même en mode sans échec
svp aidez moi
merci d'avance
Configuration: Windows XP
Firefox 2.0.0.12

6 réponses

  1. ep44 Messages postés 7415 Date d'inscription   Statut Contributeur Dernière intervention   3
     
    Bonsoir

    Télécharge sur le bureau

    ftp://ftp.commentcamarche.com/download/HJTInstall.exe

    = Double-clic dessus pour l'installer
    = ensuite va dans C:==> program files ==> trend micro => ouvre hijack et renomme le petit bonhomme avec une loupe par ton speudo.exe
    = Clic Do a system scan and save the log
    =coller le rapport
    si problème voir l'aide
    http://perso.orange.fr/rginformatique/section%20virus/demohijack.htm

    @+
    1
  2. ep44 Messages postés 7415 Date d'inscription   Statut Contributeur Dernière intervention   3
     
    re

    Télécharge sur ton bureau RHosts (Merci à S!ri) disponible ici,
    http://siri.urz.free.fr/Softs/RHosts.exe
    Double-clique sur Rhosts.exe et clique sur "restaurer".

    ensuite il faut renommer hijack
    tu vas dans C:\Program Files\Trend Micro\HijackThis\HijackThis.exe et tu le renomme par exemple par Hermos.exe

    ensuite

    Télécharge sur le Bureau.
    http://www.atribune.org/ccount/click.php?id=4

    => Double-clic VundoFix.exe.
    => Clic OK
    => Attendre le redemarrage de Vundofix
    => Clic Scan for Vundo
    => Le scan est assez long , à la fin
    => Clic Remove Vundo
    => Puis yes
    => Le Bureau disparaît un moment lors de la suppression des fichiers.
    => Message shutdown
    => clic OK
    => Redémarrage auto
    => copier le rapport qui est dans C:vundofix.txt

    ensuite
    Télécharge VirtumundoBeGone sur ton bureau .
    http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
    => double-clic sur VirtumundoBeGone.exe
    => Suis les instructions à l'écran
    => Quand le scan est terminé, enregistre le rapport.
    => Copie/Colle le ici

    ensuite

    Télécharge Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    et sauvegarde le sur ton bureau et pas ailleurs!

    Double-clic sur combofix,
    Attends que combofix ait terminé, un rapport sera créé. Poste le rapport.

    @+
    1
  3. Hermos Messages postés 59 Statut Membre 4
     
    bonsoir,
    voici le report de hijackthis :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:52:56, on 24/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\ATKKBService.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\GetRight\getright.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.youtube.com;http://www.google.fr;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O1 - Hosts: 90.1.36.245 l2authd.lineage2.com
    O1 - Hosts: 216.107.250.194 nProtect.lineage2.com
    O1 - Hosts: 216.107.250.194 update.nProtect.com
    O1 - Hosts: 216.107.250.194 update.nProtect.net
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
    O4 - HKLM\..\Run: [20805a46] rundll32.exe "C:\WINDOWS\system32\quxefsyy.dll",b
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BM23b369da] Rundll32.exe "C:\WINDOWS\system32\jgybfdtu.dll",s
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: DSLMON.lnk = ?
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    0
  4. Hermos Messages postés 59 Statut Membre 4
     
    re
    voila le rapport de vundofix
    VundoFix V7.0.3

    Scan started at 14:42:23 20/03/2008

    Listing files found while scanning....

    C:\Program Files\PowerISO\PWRISOSH.DLL
    C:\windows\system32\ddcyw.dll
    C:\windows\system32\wycdd.ini
    C:\windows\system32\wycdd.ini2

    Beginning removal...

    Attempting to delete C:\windows\system32\ddcyw.dll
    C:\windows\system32\ddcyw.dll Has been deleted!

    Attempting to delete C:\windows\system32\wycdd.ini
    C:\windows\system32\wycdd.ini Has been deleted!

    Attempting to delete C:\windows\system32\wycdd.ini2
    C:\windows\system32\wycdd.ini2 Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V7.0.3

    Scan started at 23:26:20 24/03/2008

    Listing files found while scanning....

    C:\Program Files\PowerISO\PWRISOSH.DLL

    Beginning removal...

    Attempting to delete C:\Program Files\PowerISO\PWRISOSH.DLL
    C:\Program Files\PowerISO\PWRISOSH.DLL Has been deleted!

    Performing Repairs to the registry.
    Done!

    je n'es pas encore terminé les autre étapes je te dirai d'es que je les aurai faite
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Hermos Messages postés 59 Statut Membre 4
     
    re voila la suite
    voici le rapport de VirtumundoBeGone.exe
    [03/24/2008, 23:49:29] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\BuzzLeclair\Bureau\VirtumundoBeGone.exe" )
    [03/24/2008, 23:49:56] - Detected System Information:
    [03/24/2008, 23:49:56] - Windows Version: 5.1.2600, Service Pack 2
    [03/24/2008, 23:49:56] - Current Username: BuzzLeclair (Admin)
    [03/24/2008, 23:49:56] - Windows is in NORMAL mode.
    [03/24/2008, 23:49:56] - Searching for Browser Helper Objects:
    [03/24/2008, 23:49:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
    [03/24/2008, 23:49:56] - BHO 2: {10ce7142-1733-4923-81ce-a558f86cc1ef} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - Checking for HKLM\...\Winlogon\Notify\gxpgjmsi
    [03/24/2008, 23:49:56] - Key not found: HKLM\...\Winlogon\Notify\gxpgjmsi, continuing.
    [03/24/2008, 23:49:56] - BHO 3: {11241072-58BB-40CE-9171-0B2BDFB22E97} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - Checking for HKLM\...\Winlogon\Notify\pmnonno
    [03/24/2008, 23:49:56] - Found: HKLM\...\Winlogon\Notify\pmnonno - This is probably Virtumundo.
    [03/24/2008, 23:49:56] - Assigning {11241072-58BB-40CE-9171-0B2BDFB22E97} MSEvents Object
    [03/24/2008, 23:49:56] - BHO list has been changed! Starting over...
    [03/24/2008, 23:49:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
    [03/24/2008, 23:49:56] - BHO 2: {10ce7142-1733-4923-81ce-a558f86cc1ef} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - Checking for HKLM\...\Winlogon\Notify\gxpgjmsi
    [03/24/2008, 23:49:56] - Key not found: HKLM\...\Winlogon\Notify\gxpgjmsi, continuing.
    [03/24/2008, 23:49:56] - BHO 3: {11241072-58BB-40CE-9171-0B2BDFB22E97} (MSEvents Object)
    [03/24/2008, 23:49:56] - ALERT: Found MSEvents Object!
    [03/24/2008, 23:49:56] - BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
    [03/24/2008, 23:49:56] - BHO 5: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (bho2gr Class)
    [03/24/2008, 23:49:56] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [03/24/2008, 23:49:56] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - No filename found. Continuing.
    [03/24/2008, 23:49:56] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [03/24/2008, 23:49:56] - BHO 9: {9D873503-FD2C-4681-8D2F-5EE8209B2DB5} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - Checking for HKLM\...\Winlogon\Notify\awtqp
    [03/24/2008, 23:49:56] - Key not found: HKLM\...\Winlogon\Notify\awtqp, continuing.
    [03/24/2008, 23:49:56] - BHO 10: {B777CB37-46E1-4187-BDC7-916573CA23D0} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - No filename found. Continuing.
    [03/24/2008, 23:49:56] - BHO 11: {E9383002-FC55-4330-B9C9-67E03BC5C840} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - Checking for HKLM\...\Winlogon\Notify\khffccc
    [03/24/2008, 23:49:56] - Found: HKLM\...\Winlogon\Notify\khffccc - This is probably Virtumundo.
    [03/24/2008, 23:49:56] - Assigning {E9383002-FC55-4330-B9C9-67E03BC5C840} MSEvents Object
    [03/24/2008, 23:49:56] - BHO list has been changed! Starting over...
    [03/24/2008, 23:49:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
    [03/24/2008, 23:49:56] - BHO 2: {10ce7142-1733-4923-81ce-a558f86cc1ef} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - Checking for HKLM\...\Winlogon\Notify\gxpgjmsi
    [03/24/2008, 23:49:56] - Key not found: HKLM\...\Winlogon\Notify\gxpgjmsi, continuing.
    [03/24/2008, 23:49:56] - BHO 3: {11241072-58BB-40CE-9171-0B2BDFB22E97} (MSEvents Object)
    [03/24/2008, 23:49:56] - ALERT: Found MSEvents Object!
    [03/24/2008, 23:49:56] - BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
    [03/24/2008, 23:49:56] - BHO 5: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (bho2gr Class)
    [03/24/2008, 23:49:56] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [03/24/2008, 23:49:56] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - No filename found. Continuing.
    [03/24/2008, 23:49:56] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [03/24/2008, 23:49:56] - BHO 9: {9D873503-FD2C-4681-8D2F-5EE8209B2DB5} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - Checking for HKLM\...\Winlogon\Notify\awtqp
    [03/24/2008, 23:49:56] - Key not found: HKLM\...\Winlogon\Notify\awtqp, continuing.
    [03/24/2008, 23:49:56] - BHO 10: {B777CB37-46E1-4187-BDC7-916573CA23D0} ()
    [03/24/2008, 23:49:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:56] - No filename found. Continuing.
    [03/24/2008, 23:49:56] - BHO 11: {E9383002-FC55-4330-B9C9-67E03BC5C840} (MSEvents Object)
    [03/24/2008, 23:49:56] - ALERT: Found MSEvents Object!
    [03/24/2008, 23:49:56] - Finished Searching Browser Helper Objects
    [03/24/2008, 23:49:56] - *** Detected MSEvents Object
    [03/24/2008, 23:49:56] - Trying to remove MSEvents Object...
    [03/24/2008, 23:49:57] - Terminating Process: IEXPLORE.EXE
    [03/24/2008, 23:49:57] - Terminating Process: RUNDLL32.EXE
    [03/24/2008, 23:49:57] - Disabling Automatic Shell Restart
    [03/24/2008, 23:49:57] - Terminating Process: EXPLORER.EXE
    [03/24/2008, 23:49:57] - Suspending the NT Session Manager System Service
    [03/24/2008, 23:49:57] - Terminating Windows NT Logon/Logoff Manager
    [03/24/2008, 23:49:57] - Re-enabling Automatic Shell Restart
    [03/24/2008, 23:49:57] - File to disable: C:\WINDOWS\system32\pmnonno.dll
    [03/24/2008, 23:49:57] - Renaming C:\WINDOWS\system32\pmnonno.dll -> C:\WINDOWS\system32\pmnonno.dll.vir
    [03/24/2008, 23:49:58] - ! File rename was unsucessful.
    [03/24/2008, 23:49:58] - Attempting to Deny Access to C:\WINDOWS\system32\pmnonno.dll
    [03/24/2008, 23:49:58] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
    [03/24/2008, 23:49:58] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.

    [03/24/2008, 23:49:58] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
    [03/24/2008, 23:49:58] - Removing HKLM\...\Browser Helper Objects\{11241072-58BB-40CE-9171-0B2BDFB22E97}
    [03/24/2008, 23:49:58] - Removing HKCR\CLSID\{11241072-58BB-40CE-9171-0B2BDFB22E97}
    [03/24/2008, 23:49:58] - Adding Kill Bit for ActiveX for GUID: {11241072-58BB-40CE-9171-0B2BDFB22E97}
    [03/24/2008, 23:49:58] - Deleting ATLEvents/MSEvents Registry entries
    [03/24/2008, 23:49:58] - Removing HKLM\...\Winlogon\Notify\pmnonno
    [03/24/2008, 23:49:58] - Searching for Browser Helper Objects:
    [03/24/2008, 23:49:58] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
    [03/24/2008, 23:49:58] - BHO 2: {10ce7142-1733-4923-81ce-a558f86cc1ef} ()
    [03/24/2008, 23:49:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:58] - Checking for HKLM\...\Winlogon\Notify\gxpgjmsi
    [03/24/2008, 23:49:58] - Key not found: HKLM\...\Winlogon\Notify\gxpgjmsi, continuing.
    [03/24/2008, 23:49:58] - BHO 3: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
    [03/24/2008, 23:49:58] - BHO 4: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (bho2gr Class)
    [03/24/2008, 23:49:58] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [03/24/2008, 23:49:58] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [03/24/2008, 23:49:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:58] - No filename found. Continuing.
    [03/24/2008, 23:49:58] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [03/24/2008, 23:49:58] - BHO 8: {9D873503-FD2C-4681-8D2F-5EE8209B2DB5} ()
    [03/24/2008, 23:49:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:58] - Checking for HKLM\...\Winlogon\Notify\awtqp
    [03/24/2008, 23:49:58] - Key not found: HKLM\...\Winlogon\Notify\awtqp, continuing.
    [03/24/2008, 23:49:58] - BHO 9: {B777CB37-46E1-4187-BDC7-916573CA23D0} ()
    [03/24/2008, 23:49:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:49:59] - No filename found. Continuing.
    [03/24/2008, 23:49:59] - BHO 10: {E9383002-FC55-4330-B9C9-67E03BC5C840} (MSEvents Object)
    [03/24/2008, 23:49:59] - ALERT: Found MSEvents Object!
    [03/24/2008, 23:49:59] - Finished Searching Browser Helper Objects
    [03/24/2008, 23:49:59] - *** Detected MSEvents Object
    [03/24/2008, 23:49:59] - Trying to remove MSEvents Object...
    [03/24/2008, 23:50:00] - Terminating Process: IEXPLORE.EXE
    [03/24/2008, 23:50:00] - Terminating Process: RUNDLL32.EXE
    [03/24/2008, 23:50:00] - Disabling Automatic Shell Restart
    [03/24/2008, 23:50:00] - Terminating Process: EXPLORER.EXE
    [03/24/2008, 23:50:00] - Suspending the NT Session Manager System Service
    [03/24/2008, 23:50:00] - Terminating Windows NT Logon/Logoff Manager
    [03/24/2008, 23:50:00] - Re-enabling Automatic Shell Restart
    [03/24/2008, 23:50:00] - File to disable: C:\WINDOWS\system32\khffccc.dll
    [03/24/2008, 23:50:00] - Renaming C:\WINDOWS\system32\khffccc.dll -> C:\WINDOWS\system32\khffccc.dll.vir
    [03/24/2008, 23:50:00] - ! File rename was unsucessful.
    [03/24/2008, 23:50:00] - Attempting to Deny Access to C:\WINDOWS\system32\khffccc.dll
    [03/24/2008, 23:50:00] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
    [03/24/2008, 23:50:00] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.

    [03/24/2008, 23:50:00] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
    [03/24/2008, 23:50:00] - Removing HKLM\...\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}
    [03/24/2008, 23:50:00] - Removing HKCR\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}
    [03/24/2008, 23:50:00] - Adding Kill Bit for ActiveX for GUID: {E9383002-FC55-4330-B9C9-67E03BC5C840}
    [03/24/2008, 23:50:00] - Deleting ATLEvents/MSEvents Registry entries
    [03/24/2008, 23:50:00] - Removing HKLM\...\Winlogon\Notify\khffccc
    [03/24/2008, 23:50:00] - Searching for Browser Helper Objects:
    [03/24/2008, 23:50:00] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
    [03/24/2008, 23:50:00] - BHO 2: {10ce7142-1733-4923-81ce-a558f86cc1ef} ()
    [03/24/2008, 23:50:00] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:00] - Checking for HKLM\...\Winlogon\Notify\gxpgjmsi
    [03/24/2008, 23:50:00] - Key not found: HKLM\...\Winlogon\Notify\gxpgjmsi, continuing.
    [03/24/2008, 23:50:00] - BHO 3: {11241072-58BB-40CE-9171-0B2BDFB22E97} ()
    [03/24/2008, 23:50:00] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:00] - Checking for HKLM\...\Winlogon\Notify\pmnonno
    [03/24/2008, 23:50:00] - Found: HKLM\...\Winlogon\Notify\pmnonno - This is probably Virtumundo.
    [03/24/2008, 23:50:00] - Assigning {11241072-58BB-40CE-9171-0B2BDFB22E97} MSEvents Object
    [03/24/2008, 23:50:00] - BHO list has been changed! Starting over...
    [03/24/2008, 23:50:00] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
    [03/24/2008, 23:50:00] - BHO 2: {10ce7142-1733-4923-81ce-a558f86cc1ef} ()
    [03/24/2008, 23:50:00] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:00] - Checking for HKLM\...\Winlogon\Notify\gxpgjmsi
    [03/24/2008, 23:50:00] - Key not found: HKLM\...\Winlogon\Notify\gxpgjmsi, continuing.
    [03/24/2008, 23:50:00] - BHO 3: {11241072-58BB-40CE-9171-0B2BDFB22E97} (MSEvents Object)
    [03/24/2008, 23:50:00] - ALERT: Found MSEvents Object!
    [03/24/2008, 23:50:01] - BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
    [03/24/2008, 23:50:01] - BHO 5: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (bho2gr Class)
    [03/24/2008, 23:50:01] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [03/24/2008, 23:50:01] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [03/24/2008, 23:50:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:01] - No filename found. Continuing.
    [03/24/2008, 23:50:01] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [03/24/2008, 23:50:01] - BHO 9: {9D873503-FD2C-4681-8D2F-5EE8209B2DB5} ()
    [03/24/2008, 23:50:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:01] - Checking for HKLM\...\Winlogon\Notify\awtqp
    [03/24/2008, 23:50:01] - Key not found: HKLM\...\Winlogon\Notify\awtqp, continuing.
    [03/24/2008, 23:50:01] - BHO 10: {B777CB37-46E1-4187-BDC7-916573CA23D0} ()
    [03/24/2008, 23:50:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:01] - No filename found. Continuing.
    [03/24/2008, 23:50:01] - Finished Searching Browser Helper Objects
    [03/24/2008, 23:50:01] - *** Detected MSEvents Object
    [03/24/2008, 23:50:01] - Trying to remove MSEvents Object...
    [03/24/2008, 23:50:02] - Terminating Process: IEXPLORE.EXE
    [03/24/2008, 23:50:02] - Terminating Process: RUNDLL32.EXE
    [03/24/2008, 23:50:02] - Disabling Automatic Shell Restart
    [03/24/2008, 23:50:02] - Terminating Process: EXPLORER.EXE
    [03/24/2008, 23:50:02] - Suspending the NT Session Manager System Service
    [03/24/2008, 23:50:02] - Terminating Windows NT Logon/Logoff Manager
    [03/24/2008, 23:50:02] - Re-enabling Automatic Shell Restart
    [03/24/2008, 23:50:02] - File to disable: C:\WINDOWS\system32\pmnonno.dll
    [03/24/2008, 23:50:02] - Renaming C:\WINDOWS\system32\pmnonno.dll -> C:\WINDOWS\system32\pmnonno.dll.vir
    [03/24/2008, 23:50:02] - ! File rename was unsucessful.
    [03/24/2008, 23:50:02] - Attempting to Deny Access to C:\WINDOWS\system32\pmnonno.dll
    [03/24/2008, 23:50:02] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
    [03/24/2008, 23:50:02] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.

    [03/24/2008, 23:50:02] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
    [03/24/2008, 23:50:02] - Removing HKLM\...\Browser Helper Objects\{11241072-58BB-40CE-9171-0B2BDFB22E97}
    [03/24/2008, 23:50:04] - Removing HKCR\CLSID\{11241072-58BB-40CE-9171-0B2BDFB22E97}
    [03/24/2008, 23:50:05] - Adding Kill Bit for ActiveX for GUID: {11241072-58BB-40CE-9171-0B2BDFB22E97}
    [03/24/2008, 23:50:05] - Deleting ATLEvents/MSEvents Registry entries
    [03/24/2008, 23:50:05] - Removing HKLM\...\Winlogon\Notify\pmnonno
    [03/24/2008, 23:50:06] - Searching for Browser Helper Objects:
    [03/24/2008, 23:50:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
    [03/24/2008, 23:50:06] - BHO 2: {10ce7142-1733-4923-81ce-a558f86cc1ef} ()
    [03/24/2008, 23:50:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:06] - Checking for HKLM\...\Winlogon\Notify\gxpgjmsi
    [03/24/2008, 23:50:06] - Key not found: HKLM\...\Winlogon\Notify\gxpgjmsi, continuing.
    [03/24/2008, 23:50:06] - BHO 3: {11241072-58BB-40CE-9171-0B2BDFB22E97} ()
    [03/24/2008, 23:50:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:06] - Checking for HKLM\...\Winlogon\Notify\pmnonno
    [03/24/2008, 23:50:06] - Key not found: HKLM\...\Winlogon\Notify\pmnonno, continuing.
    [03/24/2008, 23:50:06] - BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
    [03/24/2008, 23:50:06] - BHO 5: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (bho2gr Class)
    [03/24/2008, 23:50:06] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [03/24/2008, 23:50:06] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [03/24/2008, 23:50:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:06] - No filename found. Continuing.
    [03/24/2008, 23:50:06] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [03/24/2008, 23:50:06] - BHO 9: {9D873503-FD2C-4681-8D2F-5EE8209B2DB5} ()
    [03/24/2008, 23:50:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:06] - Checking for HKLM\...\Winlogon\Notify\awtqp
    [03/24/2008, 23:50:06] - Key not found: HKLM\...\Winlogon\Notify\awtqp, continuing.
    [03/24/2008, 23:50:06] - BHO 10: {B777CB37-46E1-4187-BDC7-916573CA23D0} ()
    [03/24/2008, 23:50:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [03/24/2008, 23:50:06] - No filename found. Continuing.
    [03/24/2008, 23:50:06] - Finished Searching Browser Helper Objects
    [03/24/2008, 23:50:06] - Finishing up...
    [03/24/2008, 23:50:06] - A restart is needed.
    [03/24/2008, 23:50:28] - Attempting to Restart via STOP error (Blue Screen!)

    combo fix rapport trouvé dans c:combofix pas sur le bureau
    ComboFix 08-03-24.1 - BuzzLeclair 2008-03-25 0:00:29.1 - NTFSx86
    Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.617 [GMT 0:00]
    Endroit: C:\Documents and Settings\BuzzLeclair\Bureau\ComboFix.exe
    * Création d'un nouveau point de restauration
    * Resident AV is active

    [color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
    .
    -- Script messages for sUBs --
    CF6349.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*" >progfile.dat"
    VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*"
    CF6349.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"
    apres le fin de l'analyse de combofix le pc s'est blocké et et j'ai du redémarre manuellement
    je pense que le virus a été supprimé avec succes
    merci beaucoup =)
    0
  7. ep44 Messages postés 7415 Date d'inscription   Statut Contributeur Dernière intervention   3
     
    Bonjour

    ton rapport de combofix n'est aps complet
    il le faut en entier
    @+
    0