[[tr/vundo.gen aidez moi !!]]

standil64 Messages postés 11 Statut Membre -  
standil64 Messages postés 11 Statut Membre -
Bonjour,

antivir a detecté le virus tr/vundo.gen , evidament pas possible de l effacé . je vous detaille ce qui m arrive depuis .

le virus est infecté depuis le dossier systeme 32 est s apelle opnKETKb.dll

1_une page web s affiche et me dit : error detected , avertissement votre systeme n est pas optimizez .........
2_la souris ralentit souvent
3_l ordi ralentit
que dois-je faire ? aidez moi merci
Configuration: Windows Vista
Internet Explorer 7.0

9 réponses

  1. blablate
     
    salut

    télécharge hyjackthis, instal le et redémarre en mode san echec, apres lance le et fait un scan avec, post le rapport a la suite de mon message
    http://www.commentcamarche.net/telecharger/telecharger 159 hijackthis
    http://pageperso.aol.fr/balltrap34/Hijenr.gif

    malwarebytes, scan avec en mode sans échec et post aussi le rapport a la suite
    http://www.malwarebytes.org/mbam.php

    pour le vundo, essaye vundofix
    https://leblogdeclaude.blogspot.com/2007/05/procdure-vundofix.html

    (merci au passage pour ces tutos, éxelent)
    0
    1. standil64 Messages postés 11 Statut Membre
       
      salut , voila le rapport de hijack suivi de malware .



      _Running processes:
      C:\Windows\Explorer.EXE
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
      C:\Windows\system32\wbem\unsecapp.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      O1 - Hosts: ::1 localhost
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {121CF4BB-ABF0-475C-8756-576553BEF6A8} - C:\Windows\system32\opnKETKb.dll
      O2 - BHO: (no name) - {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} - (no file)
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O2 - BHO: Windows Live Call HoverToCall class - {7E853D72-626A-48EC-A868-BA8D5E23E045} - C:\Program Files\Windows Live\Messenger\HTC.DLL
      O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
      O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
      O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [AuditVista]
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
      O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
      O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
      O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
      O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
      O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
      O8 - Extra context menu item: Ouvrir dans WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
      O13 - Gopher Prefix:
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
      O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://spinpalace.microgaming.com/frspinpalace/FlashAX2.cab
      O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
      O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
      O23 - Service: echovnc-service - Unknown owner - C:\Program Files\EchoVNC\winvnc.exe (file missing)
      O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
      O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
      O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
      O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
      O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
      O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
      0
  2. blablate
     
    salut,
    tu es bien infecté di don))
    aparament malwarebytes a repéré le vundo,

    1ER /
    lance quand meme le "remove vundo" avec vundofix en mode san echec

    2em/
    tu peus cocher et fixer ces lignes dans hijackthis

    O2 - BHO: (no name) - {121CF4BB-ABF0-475C-8756-576553BEF6A8} - C:\Windows\system32\opnKETKb.dll
    O2 - BHO: (no name) - {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} - (no file)
    O4 - HKLM\..\Run: [AuditVista]
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL') => Microsoft Welcome Center
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab => FlashXControl
    O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://spinpalace.microgaming.com/frspinpalace/FlashAX2.cab
    O23 - Service: echovnc-service - Unknown owner - C:\Program Files\EchoVNC\winvnc.exe (file missing)

    3EM/
    refait un scan aprofondi avec en 1ER ton antivirus antivir en 2EM malwarebytes en MODE San ECHEC et ensuite refait un 3EM scan avec hijackthis puis repost les 3 raport stp

    il te faut aussi de meilleur protéction que ca si tu veus garder ton ordi en bonne santé, un vrai parefeu si possible, de bon antyspyware et utiliser firefox pluto que internet explorer
    regarde ici c'est de bonne actualité en avril 2008 pour la securité
    http://ww12.purforum.com

    j'alé oublier ))
    1_une page web s affiche et me dit : error detected , avertissement votre systeme n est pas optimizez
    Il ne faut surtout PAS CLIQUER SUR des liens surgissant de nul part disant que le systeme est infecté ou autres..
    0
  3. standil64
     
    ok , je l ai fix mais ca me dit :
    _ hijackthis is about to remove a bho and thr corresponding file from your system. close all internet explorer windows AND all windows explorer windows before continuing for the best chance of succes

    que dois faire ?
    0
  4. blablate
     
    dans ces cas la, essaye de fermer toute tes applications et retente de fixer
    tu es bien en mode san echec quand tu fais la manip ??
    0
    1. standil64 Messages postés 11 Statut Membre
       
      ben pour hijack ilme demande ca quand je veus les fixer
      0
    2. blablate > standil64 Messages postés 11 Statut Membre
       
      tu es en mode san echec?
      0
    3. standil64 Messages postés 11 Statut Membre
       
      oui mode sans echec
      0
    4. blablate > standil64 Messages postés 11 Statut Membre
       
      hop doublon du méssage//..
      0
    5. blablate > standil64 Messages postés 11 Statut Membre
       
      le message dit de fermer toute les applications avant, mais en san echec je ne vois pas lequel pourrais etre ouverte
      tu n'a pas pris avec prise en charge réseau au moins ?
      il te faut prendre mode san echec normal sur une cession administrateur
      essaye de fixer ligne par ligne
      pour le scan antivir et malwarebytes, ca a donné quoi?
      0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. standil64 Messages postés 11 Statut Membre
     
    ok j attendais ta reponse , je vais faire ca . pour l inctant j ai telecharger les bon logis pour le bien de mon ordi .
    0
  7. standil64 Messages postés 11 Statut Membre
     
    bon alors ca marche toujours pas hijack ...

    ensuite je te donne le raport antivir :

    Avira AntiVir Personal
    Report file date: mercredi 23 avril 2008 18:49

    Scanning for 1229906 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows Vista
    Windows version: (Service Pack 1) [6.0.6001]
    Boot mode: Save mode
    Username: standil
    Computer name: STANDIL

    Version information:
    BUILD.DAT : 8.1.00.295 16479 Bytes 09/04/2008 16:24:00
    AVSCAN.EXE : 8.1.2.12 311553 Bytes 19/04/2008 07:06:13
    AVSCAN.DLL : 8.1.1.0 53505 Bytes 19/04/2008 07:06:13
    LUKE.DLL : 8.1.2.9 151809 Bytes 19/04/2008 07:06:13
    LUKERES.DLL : 8.1.2.1 12033 Bytes 19/04/2008 07:06:13
    ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
    ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 18:11:47
    ANTIVIR2.VDF : 7.0.3.197 1260032 Bytes 22/04/2008 19:36:35
    ANTIVIR3.VDF : 7.0.3.200 13824 Bytes 22/04/2008 19:36:38
    Engineversion : 8.1.0.32
    AEVDF.DLL : 8.1.0.5 102772 Bytes 19/04/2008 07:06:14
    AESCRIPT.DLL : 8.1.0.26 233850 Bytes 19/04/2008 07:06:14
    AESCN.DLL : 8.1.0.14 119156 Bytes 19/04/2008 07:06:14
    AERDL.DLL : 8.1.0.19 418164 Bytes 19/04/2008 07:06:14
    AEPACK.DLL : 8.1.1.2 364917 Bytes 19/04/2008 07:06:14
    AEOFFICE.DLL : 8.1.0.18 192890 Bytes 19/04/2008 07:06:14
    AEHEUR.DLL : 8.1.0.18 1167735 Bytes 19/04/2008 07:06:14
    AEHELP.DLL : 8.1.0.14 115063 Bytes 19/04/2008 07:06:14
    AEGEN.DLL : 8.1.0.17 299380 Bytes 19/04/2008 07:06:14
    AEEMU.DLL : 8.1.0.5 430450 Bytes 19/04/2008 07:06:14
    AECORE.DLL : 8.1.0.27 168310 Bytes 19/04/2008 07:06:13
    AVWINLL.DLL : 1.0.0.7 14593 Bytes 19/04/2008 07:06:13
    AVPREF.DLL : 8.0.0.1 25857 Bytes 19/04/2008 07:06:13
    AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
    AVREG.DLL : 8.0.0.0 30977 Bytes 19/04/2008 07:06:13
    AVARKT.DLL : 1.0.0.23 307457 Bytes 19/04/2008 07:06:13
    AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 19/04/2008 07:06:13
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 19/04/2008 07:06:13
    SMTPLIB.DLL : 1.2.0.19 28929 Bytes 19/04/2008 07:06:13
    NETNT.DLL : 8.0.0.1 7937 Bytes 19/04/2008 07:06:13
    RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 19/04/2008 07:06:06
    RCTEXT.DLL : 8.0.32.0 86273 Bytes 19/04/2008 07:06:06

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: repair
    Secondary action.................: delete
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: C:, E:,
    Scan memory......................: on
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: on
    Scan all files...................: All files
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium
    Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

    Start of the scan: mercredi 23 avril 2008 18:49

    Starting search for hidden objects.
    The driver could not be initialized.

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'mbam.exe' - '1' Module(s) have been scanned
    Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned
    Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned
    Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsm.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'wininit.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    20 processes with 20 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'E:\'
    [INFO] No virus was found!

    Starting to scan the registry.
    C:\Windows\System32\ioxmcsah.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '48876900.qua' ( QUARANTINE )
    [NOTE] The file was deleted!

    The registry was scanned ( '11' files ).

    Starting the file scan:

    Begin scan in 'C:\'
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-132800-441.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '48727355.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-134612-702.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '48727356.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-135204-133.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '4be7d507.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-135754-282.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '48727357.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-183659-194.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '48727358.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-183727-730.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '48727359.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-183756-674.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '4be7d50a.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-184731-110.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '4872735b.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-184753-942.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '4872735a.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Windows\System32\opnKETKb.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '487d8137.qua' ( QUARANTINE )
    [WARNING] The file could not be deleted!
    C:\Windows\System32\qrvumfso.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [NOTE] A backup was created as '4885813f.qua' ( QUARANTINE )
    [NOTE] The file was deleted!
    C:\Windows\System32\drivers\sptd.sys
    [WARNING] The file could not be opened!
    Begin scan in 'E:\'

    End of the scan: mercredi 23 avril 2008 20:51
    Used time: 2:02:33 min

    The scan has been done completely.

    18975 Scanning directories
    313904 Files were scanned
    12 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    11 files were deleted
    0 files were repaired
    12 files were moved to quarantine
    0 files were renamed
    2 Files cannot be scanned
    313892 Files not concerned
    3116 Archives were scanned
    3 Warnings
    12 Notes

    et puis malware :

    Processus mémoire infecté(s): 0
    Module(s) mémoire infecté(s): 1
    Clé(s) du Registre infectée(s): 13
    Valeur(s) du Registre infectée(s): 1
    Elément(s) de données du Registre infecté(s): 2
    Dossier(s) infecté(s): 8
    Fichier(s) infecté(s): 22

    Processus mémoire infecté(s):
    (Aucun élément nuisible détecté)

    Module(s) mémoire infecté(s):
    C:\Windows\System32\opnKETKb.dll (Trojan.Vundo) -> No action taken.

    Clé(s) du Registre infectée(s):
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{187d23f0-86b9-42c2-9d97-54f0ebab32ff} (Trojan.Vundo) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{187d23f0-86b9-42c2-9d97-54f0ebab32ff} (Trojan.Vundo) -> No action taken.
    HKEY_CURRENT_USER\Software\Casino Tropez (Adware.Casino) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Casino Tropez (Adware.Casino) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

    Valeur(s) du Registre infectée(s):
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> No action taken.

    Elément(s) de données du Registre infecté(s):
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnketkb -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnketkb -> No action taken.

    Dossier(s) infecté(s):
    C:\Program Files\Instant Access (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Center (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\DesktopIcons (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213 (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\Common (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\js (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\medias (Adware.EGDAccess) -> No action taken.

    Fichier(s) infecté(s):
    C:\Windows\System32\opnKETKb.dll (Trojan.Vundo) -> No action taken.
    C:\Windows\System32\bKTEKnpo.ini (Trojan.Vundo) -> No action taken.
    C:\Windows\System32\bKTEKnpo.ini2 (Trojan.Vundo) -> No action taken.
    C:\Windows\System32\qrvumfso.dll (Trojan.Vundo) -> No action taken.
    C:\Windows\System32\osfmuvrq.ini (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-132800-441.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-134612-702.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-135204-133.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-135754-282.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-183659-194.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-183727-730.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-183756-674.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-184731-110.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Trend Micro\HijackThis\backups\backup-20080423-184753-942.dll (Trojan.Vundo) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\dialerexe.ini (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\Common\module.php (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\js\js_api_dialer.php (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\medias\button1.jpg (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\medias\button2.jpg (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\medias\button3.jpg (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\medias\button4.jpg (Adware.EGDAccess) -> No action taken.
    C:\Program Files\Instant Access\Multi\20080227150213\medias\dialer.ico (Adware.EGDAccess) -> No action taken.
    0
  8. blablate
     
    bon antivir a repéré et tué pas mal de verrole mais je ne comprend pas pourquoi malwarebytes et hjks n'arrive pas a fonctionner
    repost un raport hjks stp que je vois la différence
    0
    1. crewlou Messages postés 62 Statut Membre 1
       
      je suis strictement dans le meme cas j'étais bien infecté j'ai fait une désinfection avec quelqu'un sur ce forum et il me reste toujours ce TR\Vundo.gen à l'ouverture de windows signalé par Avira antivir ....

      jettez un oeuil sur ce que j'ai déjà fait : ca n'a pas été efficace ...

      http://www.commentcamarche.net/forum/affich 6054945 virus trojan spy diagnostic#0
      0
    2. standil64 Messages postés 11 Statut Membre
       
      voila le scan hijack . et met c dingue ce qui fait ce virus !!! je suis blasé , ca fesait 7 ans que je n avais jamais choper de virus ! et la bla bla . :(

      Running processes:
      C:\Windows\system32\Dwm.exe
      C:\Windows\Explorer.EXE
      C:\Program Files\Windows Defender\MSASCui.exe
      C:\Windows\RtHDVCpl.exe
      C:\Program Files\System Control Manager\MGSysCtrl.exe
      C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
      C:\Program Files\DAEMON Tools\daemon.exe
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
      C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
      C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
      C:\Windows\ehome\ehtray.exe
      C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
      C:\Windows\ehome\ehmsas.exe
      C:\Program Files\Windows Media Player\wmpnscfg.exe
      C:\Windows\system32\wbem\unsecapp.exe
      C:\Program Files\Windows Live\Mail\wlmail.exe
      C:\Users\standil\Downloads\logis\defregmantateur\JkDefrag.exe
      C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      O1 - Hosts: ::1 localhost
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {608EA2D2-8D06-48DF-B2D8-1A646FE366A9} - C:\Windows\system32\opnKETKb.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O2 - BHO: Windows Live Call HoverToCall class - {7E853D72-626A-48EC-A868-BA8D5E23E045} - C:\Program Files\Windows Live\Messenger\HTC.DLL
      O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
      O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
      O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [AuditVista]
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
      O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
      O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
      O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
      O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
      O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
      O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
      O8 - Extra context menu item: Ouvrir dans WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
      O13 - Gopher Prefix:
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
      O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://spinpalace.microgaming.com/frspinpalace/FlashAX2.cab
      O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
      O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
      O23 - Service: echovnc-service - Unknown owner - C:\Program Files\EchoVNC\winvnc.exe (file missing)
      O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
      O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
      O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
      O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
      O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
      O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
      O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
      0
  9. blablate
     
    en effet les nombreus post sur le sujet me font assez peur,
    on va sortir la grosse artillerie

    telecharge combo fix et scan en mode san echec
    https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix

    recommence avec vundofix aussi, ca dois marcher
    https://leblogdeclaude.blogspot.com/2007/05/procdure-vundofix.html

    apres post les raport généré
    0
    1. crewlou Messages postés 62 Statut Membre 1
       
      J'ai un nouveau symptome assez problématique :

      Je tourne sur mozilla et je n'ai pas remarqué de ralentissement pour la navigation
      Par contre j'ai lancé:
      Spybot en Recherche: il est bloqué en plein milieu de recherche et la barre ne bouge plus elle est sur: "(67938/133091: MyWay.MyWebSearch)"
      Tout à l'heure on m'a demandé de lancer DSS: il s'est arrété en milieu de scan
      J'ai lancé VundoFix: il vient de s'arreter et il bloque....

      Impossible de les fermer meme avec le gestionnaire des taches. J'ai redémarré plusieurs fois ca plante à chaque fois ....

      Je passe en mode sans echec ???
      0
  10. blablate
     
    oui les scan se font en mode san echec et sous session administrateur
    vous avez des ordis sacrément vérrolé ..)
    post un raport hjks aussi mais repost sur ton ancien méssage, ca évitera de surcharger ce post,
    je te répond la bas ou vu l'ampleur des dégas, vous pouvez filler vos msn par mp j'éssayerais de vous aider diectement
    0