Infection par Vundo.GT Fermé

Question

Bonjour,
j'ai besoin de votre aide s'il vous plait : depuis hier, mon ordi est infecté, malgré mon aintivirus avira antivir et spybot. Tout d'abord, j'ai un message qui me signale que mes mises à jour automatiques sont désactivées et que mon ordi courre un risque et je ne peux plus les réactiver. De plus, Windows me signale qu'il ne peut plus y accéder lorsque je tente de les réactiver.
De plus, j'ai un message de spybot qui me signale tout le temps que "spybot a décelé qu'un élément important du registre a été modifié", catégorie : système spybot startup use entry, modification : valeur supprimée, élément : spybot deleting B4389, ancienne valeur : command/c del/ "C:/windows/system32/by. Au début, j'ai accepté quelques modifications de mon registre (j'ai surement fait une erreur) : je ne le fais plus maintenant, mais le problème persiste.
Enfin, avira antivir me signale que je suis infecté par Trojan horse, TR/Vundo.GT, mais n'arrive pas à le supprimer.
Merci d'avance de prendre un peu de temps pour m'aider !

Utilisateur anonyme · Answer

salut

desactive spybot

puis fais ca avec antivir

reglages pour antivir :

une fois antivir ouvert click surconfiguration et coche la case "expert mode" puis sur l´onglet scanner dans la fenetre du dessous tu va voir : rootkit search click sur le petit + pour deployer et coche la case a coté de ton disk dur
puis click sur configuration en haut a droite; dans la nouvelle fenetre a gauche >scanner > coche "scan all files" et en dessous >scanner priority = High
coche : allow stopping the scanner, comme cela tu peux faire une pause pendant le scan si tu le desir.
puis sur la droite coche les case suivantes :
scan boot sectors of selected drives
scan master boot sectors
scan memory
search foe rootkit before scan
decoche :
ignore off line files
toujours a gauche > scan > deploie > heuristique > macrovirus heuristic = coché et en dessous > win32 heuristic la case coché et high detection level


aussi clic sur guard puis coche scan archive puis tu decoche les 3 case en dessous puis ok

puis tu le mes bien a jour puis tu fais un scan et mode normale puis tu supprime tous se qu'il trouve et pareille en mode sans echec puis tu mes a jour spybot tu vacine ton systeme et tu lance un scan et tu corrige tous les problemes qu'il va trouver

gandalf22 · Answer

Re bonjour, je n'arrive toujours pas à m'en sortir
Je vous poste mon rapport hijackthis si cela peut vous aider
merci de m'aider s'il vous plait !
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:31, on 2008-05-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\MESSAG~1\StartMessager.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.orange.fr/portail
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talti.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\Program Files\Orange\SearchURLHook\SearchPageURL.dll (file missing)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06DF596B-3170-4F07-BE10-86E31456BC56} - C:\WINDOWS\system32\pmnoNHBQ.dll
O2 - BHO: (no name) - {19730E0D-D708-4EC4-8375-BF2DFCCFC469} - C:\WINDOWS\system32\urqRLbay.dll (file missing)
O2 - BHO: (no name) - {1B832C41-DBAA-47AF-B788-7C172BAF0A6C} - C:\WINDOWS\system32\byXOeeBR.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B796C57-62B6-4E70-8E3D-9859A15B0A41} - C:\WINDOWS\system32\ssqOIXQG.dll (file missing)
O2 - BHO: (no name) - {83E92C1D-51A5-4FEF-A501-7200B95211CF} - C:\WINDOWS\system32\jkkLBqro.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [MessagerStarter Wanadoo] C:\PROGRA~1\MESSAG~1\StartMessager.exe Messager Wanadoo
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_45.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: pmnoNHBQ - C:\WINDOWS\SYSTEM32\pmnoNHBQ.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

VIRUS_KILLER · Answer

Salut
Telecharge et installe : VundoFix : http://ftpclubic45.clubic.com/...
Installe le > Clique sur Scan for Vundo et dit nous ce qu'il en est.
a+

gandalf22 · Answer

merci je fais tout ça et je te tiens au courant !

gandalf · Answer

Bonsoir : voilà, j'ai fait ce que tu m'as demandé, et donc voici le rapport (malheureusement, ce satané virus est toujours présent : avira me le signale...) :
Malwarebytes' Anti-Malware 1.12
Version de la base de données: 759

Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 79426
Temps écoulé: 1 hour(s), 39 minute(s), 30 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 1
Clé(s) du Registre infectée(s): 8
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 3
Fichier(s) infecté(s): 11

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
C:\WINDOWS\system32\pmnoNHBQ.dll (Trojan.Vundo) -> No action taken.

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnonhbq (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> No action taken.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> No action taken.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> No action taken.
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free\Logs (Rogue.DriveCleaner) -> No action taken.
C:\Documents and Settings\BUT\Application Data\ultra (Rogue.Multiple) -> No action taken.

Fichier(s) infecté(s):
C:\WINDOWS\system32\eofqgmaw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wamgqfoe.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmnoNHBQ.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{20F508DD-556D-4780-869F-D1CE4C742FF6}\RP399\A0082590.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{20F508DD-556D-4780-869F-D1CE4C742FF6}\RP399\A0082591.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free\Logs\update.log (Rogue.DriveCleaner) -> No action taken.
C:\Documents and Settings\BUT\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> No action taken.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> No action taken.
C:\WINDOWS\oadkxrts.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\mpfanvqg.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\fvowketqxfo.dll (Trojan.FakeAlert) -> No action taken.

merci beaucoup de m'aider !

gil le fantom · Answer

bonsoir
tu n"as pas fais suppression des infections qans malware byte's

a+

gil le fantom · Answer

poste le rapport de la suppression de malwarebyte's stp

gandalf · Answer

ok je n'ai que 2 rapports dans les documents je te mets les 2 car je ne sais pas lequel est le bon (désolé je ne suis pas très doué...) De plus, une fois que j'ai rallumé mon ordi après malwarbytes je n'ai pas eu de rapport qui s'est affiché
Malwarebytes' Anti-Malware 1.12
Version de la base de données: 759

Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 79426
Temps écoulé: 1 hour(s), 39 minute(s), 30 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 1
Clé(s) du Registre infectée(s): 8
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 3
Fichier(s) infecté(s): 11

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
C:\WINDOWS\system32\pmnoNHBQ.dll (Trojan.Vundo) -> Unloaded module successfully.

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnonhbq (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\BUT\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
C:\WINDOWS\system32\eofqgmaw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wamgqfoe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnoNHBQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{20F508DD-556D-4780-869F-D1CE4C742FF6}\RP399\A0082590.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20F508DD-556D-4780-869F-D1CE4C742FF6}\RP399\A0082591.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\BUT\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\oadkxrts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mpfanvqg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fvowketqxfo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

et voilà le deuxième :
Malwarebytes' Anti-Malware 1.12
Version de la base de données: 759

Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 79426
Temps écoulé: 1 hour(s), 39 minute(s), 30 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 1
Clé(s) du Registre infectée(s): 8
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 3
Fichier(s) infecté(s): 11

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
C:\WINDOWS\system32\pmnoNHBQ.dll (Trojan.Vundo) -> Unloaded module successfully.

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnonhbq (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06df596b-3170-4f07-be10-86e31456bc56} (Trojan.Vundo) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\BUT\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
C:\WINDOWS\system32\eofqgmaw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wamgqfoe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnoNHBQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{20F508DD-556D-4780-869F-D1CE4C742FF6}\RP399\A0082590.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20F508DD-556D-4780-869F-D1CE4C742FF6}\RP399\A0082591.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\BUT\Application Data\DriveCleaner 2006 Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\BUT\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\oadkxrts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mpfanvqg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fvowketqxfo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

gandalf · Answer

re bonsoir svp que dois je faire après ces résultats car ce satané virus est toujours là !
merci

gil le fantom · Answer

Télécharger VirtumundoBegone sur le bureau:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Ce déconnecter et fermer toute ces applications le temps de la manipe .

Double cliquer sur VirtumundoBeGone.exe et suivre les instructions.
Une fois terminé, redémarrer le PC, le rapport VBG.TXT sera crée sur le bureau , postes le.
(Si un message Ecran bleu "Erreur fatale" apparaît, pas d’inquiétude car c'est normal et attendu).

gandalf · Answer

re bonsoir Voilà c'est fait voici le rapport de virtumundobegone :
[05/17/2008, 23:35:59] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\BUT\Bureau\VirtumundoBeGone.exe" )
[05/17/2008, 23:36:10] - Detected System Information:
[05/17/2008, 23:36:10] -  Windows Version: 5.1.2600, Service Pack 2
[05/17/2008, 23:36:10] -  Current Username: BUT (Admin)
[05/17/2008, 23:36:10] -  Windows is in NORMAL mode.
[05/17/2008, 23:36:10] - Searching for Browser Helper Objects:
[05/17/2008, 23:36:10] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/17/2008, 23:36:10] -  BHO 2: {06DF596B-3170-4F07-BE10-86E31456BC56} ()
[05/17/2008, 23:36:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:10] -  Checking for HKLM\...\Winlogon\Notify\pmnoNHBQ
[05/17/2008, 23:36:10] -  Found: HKLM\...\Winlogon\Notify\pmnoNHBQ - This is probably Virtumundo.
[05/17/2008, 23:36:10] -  Assigning {06DF596B-3170-4F07-BE10-86E31456BC56} MSEvents Object
[05/17/2008, 23:36:10] - BHO list has been changed! Starting over...
[05/17/2008, 23:36:10] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/17/2008, 23:36:10] -  BHO 2: {06DF596B-3170-4F07-BE10-86E31456BC56} (MSEvents Object)
[05/17/2008, 23:36:10] - ALERT: Found MSEvents Object!
[05/17/2008, 23:36:10] -  BHO 3: {19730E0D-D708-4EC4-8375-BF2DFCCFC469} ()
[05/17/2008, 23:36:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:10] -  Checking for HKLM\...\Winlogon\Notify\urqRLbay
[05/17/2008, 23:36:10] -  Key not found: HKLM\...\Winlogon\Notify\urqRLbay, continuing.
[05/17/2008, 23:36:10] -  BHO 4: {1B832C41-DBAA-47AF-B788-7C172BAF0A6C} ()
[05/17/2008, 23:36:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:10] -  Checking for HKLM\...\Winlogon\Notify\byXOeeBR
[05/17/2008, 23:36:10] -  Key not found: HKLM\...\Winlogon\Notify\byXOeeBR, continuing.
[05/17/2008, 23:36:10] -  BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/17/2008, 23:36:10] -  BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 23:36:10] -  BHO 7: {7B796C57-62B6-4E70-8E3D-9859A15B0A41} ()
[05/17/2008, 23:36:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:10] -  Checking for HKLM\...\Winlogon\Notify\ssqOIXQG
[05/17/2008, 23:36:10] -  Key not found: HKLM\...\Winlogon\Notify\ssqOIXQG, continuing.
[05/17/2008, 23:36:10] -  BHO 8: {83E92C1D-51A5-4FEF-A501-7200B95211CF} ()
[05/17/2008, 23:36:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:10] -  Checking for HKLM\...\Winlogon\Notify\jkkLBqro
[05/17/2008, 23:36:10] -  Key not found: HKLM\...\Winlogon\Notify\jkkLBqro, continuing.
[05/17/2008, 23:36:10] -  BHO 9: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/17/2008, 23:36:10] - Finished Searching Browser Helper Objects
[05/17/2008, 23:36:10] - *** Detected MSEvents Object
[05/17/2008, 23:36:10] - Trying to remove MSEvents Object...
[05/17/2008, 23:36:11] -    Terminating Process: IEXPLORE.EXE
[05/17/2008, 23:36:11] -    Terminating Process: RUNDLL32.EXE
[05/17/2008, 23:36:12] -    Disabling Automatic Shell Restart
[05/17/2008, 23:36:12] -    Terminating Process: EXPLORER.EXE
[05/17/2008, 23:36:12] -    Suspending the NT Session Manager System Service
[05/17/2008, 23:36:12] -    Terminating Windows NT Logon/Logoff Manager
[05/17/2008, 23:36:12] -    Re-enabling Automatic Shell Restart
[05/17/2008, 23:36:12] -   File to disable: C:\WINDOWS\system32\pmnoNHBQ.dll
[05/17/2008, 23:36:12] -  Renaming C:\WINDOWS\system32\pmnoNHBQ.dll -> C:\WINDOWS\system32\pmnoNHBQ.dll.vir
[05/17/2008, 23:36:12] -  File successfully renamed!
[05/17/2008, 23:36:12] -   Removing HKLM\...\Browser Helper Objects\{06DF596B-3170-4F07-BE10-86E31456BC56}
[05/17/2008, 23:36:12] -   Removing HKCR\CLSID\{06DF596B-3170-4F07-BE10-86E31456BC56}
[05/17/2008, 23:36:12] -   Adding Kill Bit for ActiveX for GUID: {06DF596B-3170-4F07-BE10-86E31456BC56}
[05/17/2008, 23:36:12] -   Deleting ATLEvents/MSEvents Registry entries
[05/17/2008, 23:36:12] -   Removing HKLM\...\Winlogon\Notify\pmnoNHBQ
[05/17/2008, 23:36:12] - Searching for Browser Helper Objects:
[05/17/2008, 23:36:13] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/17/2008, 23:36:13] -  BHO 2: {19730E0D-D708-4EC4-8375-BF2DFCCFC469} ()
[05/17/2008, 23:36:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:13] -  Checking for HKLM\...\Winlogon\Notify\urqRLbay
[05/17/2008, 23:36:13] -  Key not found: HKLM\...\Winlogon\Notify\urqRLbay, continuing.
[05/17/2008, 23:36:13] -  BHO 3: {1B832C41-DBAA-47AF-B788-7C172BAF0A6C} ()
[05/17/2008, 23:36:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:13] -  Checking for HKLM\...\Winlogon\Notify\byXOeeBR
[05/17/2008, 23:36:13] -  Key not found: HKLM\...\Winlogon\Notify\byXOeeBR, continuing.
[05/17/2008, 23:36:13] -  BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/17/2008, 23:36:13] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 23:36:13] -  BHO 6: {7B796C57-62B6-4E70-8E3D-9859A15B0A41} ()
[05/17/2008, 23:36:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:13] -  Checking for HKLM\...\Winlogon\Notify\ssqOIXQG
[05/17/2008, 23:36:13] -  Key not found: HKLM\...\Winlogon\Notify\ssqOIXQG, continuing.
[05/17/2008, 23:36:13] -  BHO 7: {83E92C1D-51A5-4FEF-A501-7200B95211CF} ()
[05/17/2008, 23:36:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:36:13] -  Checking for HKLM\...\Winlogon\Notify\jkkLBqro
[05/17/2008, 23:36:13] -  Key not found: HKLM\...\Winlogon\Notify\jkkLBqro, continuing.
[05/17/2008, 23:36:13] -  BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/17/2008, 23:36:13] - Finished Searching Browser Helper Objects
[05/17/2008, 23:36:13] - Finishing up...
[05/17/2008, 23:36:13] - A restart is needed.
[05/17/2008, 23:36:20] - Attempting to Restart via STOP error (Blue Screen!)

[05/17/2008, 23:38:32] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\BUT\Bureau\VirtumundoBeGone.exe" )
[05/17/2008, 23:38:39] - Detected System Information:
[05/17/2008, 23:38:39] -  Windows Version: 5.1.2600, Service Pack 2
[05/17/2008, 23:38:39] -  Current Username: BUT (Admin)
[05/17/2008, 23:38:39] -  Windows is in NORMAL mode.
[05/17/2008, 23:38:39] - Searching for Browser Helper Objects:
[05/17/2008, 23:38:39] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/17/2008, 23:38:39] -  BHO 2: {19730E0D-D708-4EC4-8375-BF2DFCCFC469} ()
[05/17/2008, 23:38:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:38:39] -  Checking for HKLM\...\Winlogon\Notify\urqRLbay
[05/17/2008, 23:38:39] -  Key not found: HKLM\...\Winlogon\Notify\urqRLbay, continuing.
[05/17/2008, 23:38:39] -  BHO 3: {1B832C41-DBAA-47AF-B788-7C172BAF0A6C} ()
[05/17/2008, 23:38:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:38:39] -  Checking for HKLM\...\Winlogon\Notify\byXOeeBR
[05/17/2008, 23:38:39] -  Key not found: HKLM\...\Winlogon\Notify\byXOeeBR, continuing.
[05/17/2008, 23:38:39] -  BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/17/2008, 23:38:39] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 23:38:39] -  BHO 6: {7B796C57-62B6-4E70-8E3D-9859A15B0A41} ()
[05/17/2008, 23:38:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:38:39] -  Checking for HKLM\...\Winlogon\Notify\ssqOIXQG
[05/17/2008, 23:38:39] -  Key not found: HKLM\...\Winlogon\Notify\ssqOIXQG, continuing.
[05/17/2008, 23:38:39] -  BHO 7: {83E92C1D-51A5-4FEF-A501-7200B95211CF} ()
[05/17/2008, 23:38:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 23:38:39] -  Checking for HKLM\...\Winlogon\Notify\jkkLBqro
[05/17/2008, 23:38:39] -  Key not found: HKLM\...\Winlogon\Notify\jkkLBqro, continuing.
[05/17/2008, 23:38:39] -  BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/17/2008, 23:38:39] - Finished Searching Browser Helper Objects
[05/17/2008, 23:38:39] - Finishing up...
[05/17/2008, 23:38:39] - Nothing found! Exiting...

Que dois-je faire maintenant ? Merci

gil le fantom · Answer

poste un nouveau rapport hijackthis stp

gandalf · Answer

coucou ! y a-t-il encore quelqu'un d'éveillé qui puisse me répondre ? En tous les cas, déjà merci à tous ceux qui prennent du temps pour m'aider !!!!!

gil le fantom · Answer

relance hijackthis
selectionne   do a system scan only
 et coches les lignes suivantes:

 O2 - BHO: (no name) - {19730E0D-D708-4EC4-8375-BF2DFCCFC469} - C:\WINDOWS\system32\urqRLbay.dll (file missing)
 O2 - BHO: (no name) - {1B832C41-DBAA-47AF-B788-7C172BAF0A6C} - C:\WINDOWS\system32\byXOeeBR.dll (file missing)
 O2 - BHO: (no name) - {7B796C57-62B6-4E70-8E3D-9859A15B0A41} - C:\WINDOWS\system32\ssqOIXQG.dll (file missing)
O2 - BHO: (no name) - {83E92C1D-51A5-4FEF-A501-7200B95211CF} - C:\WINDOWS\system32\jkkLBqro.dll (file missing)
 O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_45.cab

puis clic sur le bouton "Fix Checked" 
puis tu me repost un rapport hijackthis.

gil le fantom · Answer

comme je vais me coucher

après tu fais un nouveau point de restauration
tu va à démarrer
clic droit sur poste de travail
propriétés
restauration du système
tu coche désactiver la restauration du systéme
tu redémarre
tu refais la même chose
tu décoche désactiver la restauration du systéme

puis tu fais un nouveau scan avec ton antivirus

et tu me dis s' il trouve encore quelque chose

bonne nuit

a demain

gandalf · Answer

bonjour ! Quelqu'un peut-il m'aider afin de supprimer enfin ce satané virus ? J'ai aussi oublié de vous dire que mes mises à jour automatiques sont toujours désactivées et qu'il est impossible de les réactiver ....
Merci

gil le fantom · Answer

bonjour

tu télécharge ComboFix : 
 
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

applique ceux tuto à la lettre https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix

poste le rapport

tu enregistre le sur le bureau. 

Avant d'utiliser ComboFix : 

tu déconnecte internet et referme les fenêtres de tous les programmes en cours 


tu désactive provisoirement la protection en temps réel de ton Antivirus et de tes Antispywares. 


 sur ton bureau tu double-clic sur Combofix.exe. 

tu répond oui au message d'avertissement, pour que le programme commence à procéder à l'analyse du pc. 

 Pendant la durée de cette étape,tu ne te sert pas du pc et n'ouvre aucun programmes. 


- En fin de scan il est possible que ComboFix ait besoin de redémarrer le pc pour finaliser la désinfection\recherche, laisses-le faire. 

- Un rapport s'ouvrira ensuite dans le bloc notes, ce fichier rapport Combofix.txt, est automatiquement sauvegardé et rangé à C:\Combofix.txt) 

tu réactive la protection en temps réel de ton Antivirus et de tes Antispywares, avant de te reconnecter à internet. 

tu reviens sur le forum, et copie et colle la totalité du contenu de C:\Combofix.txt .

gandalf · Answer

Re bonjour : voici le rapport de cumbofix :

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pack.epk
C:\WINDOWS\system32\GQXIOqss.ini
C:\WINDOWS\system32\GQXIOqss.ini2
C:\WINDOWS\system32\hsyjrtov.ini
C:\WINDOWS\system32\knyjeoul.ini
C:\WINDOWS\system32\mamffwwq.ini
C:\WINDOWS\system32\orqBLkkj.ini
C:\WINDOWS\system32\orqBLkkj.ini2
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\RBeeOXyb.ini
C:\WINDOWS\system32\RBeeOXyb.ini2
C:\WINDOWS\system32\vfoefygq.ini
C:\WINDOWS\system32\yabLRqru.ini
C:\WINDOWS\system32\yabLRqru.ini2

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-04-18 to 2008-05-18 ))))))))))))))))))))))))))))))))))))
.

2008-05-17 19:30 . 2008-05-17 19:30 <REP> d-------- C:\Documents and Settings\BUT\Application Data\Malwarebytes
2008-05-17 19:29 . 2008-05-17 19:30 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 19:29 . 2008-05-17 19:29 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 19:29 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 19:29 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-17 18:14 . 2008-05-17 18:14 <REP> d-------- C:\VundoFix Backups
2008-05-17 18:10 . 2008-05-17 18:10 <REP> d-------- C:\Program Files\Trend Micro
2008-05-16 11:45 . 2008-05-16 12:45 <REP> d-------- C:\Program Files\a-squared Free
2008-05-15 10:22 . 2008-05-17 17:43 424 --a------ C:\WINDOWS\wininit.ini
2008-05-15 08:45 . 2008-05-15 03:48 94,208 --a------ C:\WINDOWS\epfg.exe
2008-05-13 18:07 . 2008-05-18 11:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-13 18:07 . 2008-05-13 18:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-13 18:04 . 2008-05-13 18:04 <REP> d-------- C:\Program Files\iPod
2008-05-13 18:03 . 2008-05-13 18:04 <REP> d-------- C:\Program Files\iTunes
2008-05-13 18:02 . 2008-05-13 18:02 <REP> d-------- C:\Program Files\Bonjour
2008-05-13 18:01 . 2008-05-13 18:02 <REP> d-------- C:\Program Files\QuickTime
2008-05-13 17:59 . 2008-05-13 17:59 <REP> d-------- C:\Program Files\Fichiers communs\Apple
2008-05-13 17:59 . 2008-05-13 17:59 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 09:14 . 2008-05-10 09:14 <REP> d-------- C:\Program Files\Fichiers communs\xing shared
2008-04-26 14:29 . 2008-04-26 14:29 <REP> d-------- C:\Program Files\Securitoo
2008-04-26 14:20 . 2008-04-26 14:20 <REP> d-------- C:\Program Files\Inventel

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 09:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-18 09:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-13 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-13 16:00 --------- d-----w C:\Program Files\Apple Software Update
2008-05-13 12:39 33,612 ----a-w C:\Documents and Settings\BUT\Application Data\wklnhst.dat
2008-05-10 07:14 --------- d-----w C:\Program Files\Fichiers communs\Real
2008-05-09 23:36 --------- d-----w C:\Program Files\eMule
2008-05-09 00:07 --------- d-----w C:\Documents and Settings\BUT\Application Data\uTorrent
2008-05-02 07:39 --------- d-----w C:\Program Files\Java
2008-04-26 11:10 --------- d-----w C:\Program Files\Orange
2008-04-26 11:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 11:07 --------- d-----w C:\Program Files\SAGEM
2008-04-17 09:59 --------- d-----w C:\Program Files\Labtec
2008-04-17 09:58 --------- d-----w C:\Program Files\Universalis 9
2008-04-17 09:56 --------- d-----w C:\Program Files\EPSON
2008-04-16 07:15 --------- d-----w C:\Program Files\Woonoz
2008-04-16 07:13 --------- d-----w C:\Program Files\MSN Messenger
2008-04-15 20:51 --------- d-----w C:\Program Files\Larousse
2008-04-14 17:02 --------- d-----w C:\Documents and Settings\BUT\Application Data\dvdcss
2008-03-31 15:39 --------- d-----w C:\Program Files\PFConfig
2008-03-23 19:26 --------- d-----w C:\Program Files\Fichiers communs\Adobe
2007-12-03 14:53 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 10:49 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 10:49 536576]
"SiSPower"="SiSPower.dll" [2004-09-02 14:47 49152 C:\WINDOWS\system32\SiSPower.dll]
"MessagerStarter Wanadoo"="C:\PROGRA~1\MESSAG~1\StartMessager.exe" [2003-04-04 16:47 32768]
"LVCOMS"="C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE" [2003-09-04 11:45 135214]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-18 08:38 262401]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2008-05-10 09:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55119:TCP"= 55119:TCP:emule
"58305:UDP"= 58305:UDP:emule
"55129:UDP"= 55129:UDP:emule
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"63440:TCP"= 63440:TCP:utorrent
"63440:UDP"= 63440:UDP:utorrent

R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2004-02-12 02:18]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2004-01-28 00:00]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2003-09-04 11:38]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 01:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{748b54a8-df3b-11dc-a57b-00030d225165}]
\Shell\AutoRun\command - E:\AutoTransfer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ac99938-cfd7-11dc-a56b-4d6564696130}]
\Shell\AutoRun\command - E:\AutoTransfer.exe

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-05-13 16:01:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 11:26:18
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDANTSRV.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messager Wanadoo\StartMessager.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-05-18 11:30:28 - machine was rebooted [BUT]
ComboFix-quarantined-files.txt 2008-05-18 09:30:23

Pre-Run: 5,704,531,968 octets libres
Post-Run: 6,361,505,792 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

170 --- E O F --- 2008-05-14 22:47:43

merci pour ton aide que reste-t-il à faire dorénavant ?

gandalf · Answer

re bonjour !  faut-il encore que je fasse quelques manipulations afin d'éradiquer définitivement ce satané virus ,
Merci !

gandalf · Answer

SVP pouvez -vous continuer à m'aider ? Je ne sais pas ce qu'il faut faire maintenant...
Merci

gandalf · Answer

Coucou : désolé, je vais peut-être passer pour impatient et impoli, mais j'aimerais vraiment que quelqu'un m'aide pour que je puisse être sûr que mon ordi n'est plus infecté
Merci de votre aide !

gil le fantom · Answer

refais un scan avec ton antivirus et poste moi le rapport stp

gandalf · Answer

Merci je fais ça tout de suite avec avira antivir et je te l'envoie....
Merci de ta part de m'aider depuis hier !!!

gandalf · Answer

coucou : voici le résultat de mon scan avec avira antivir (je précise que je n'ai pas encore réactivé spybot) :
Avira AntiVir Personal
Report file date: 2008-05-18  13:17

Scanning for 1276115 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Boot mode:        Normally booted
Username:         SYSTEM
Computer name:    YOUR-7AD12AF644

Version information:
BUILD.DAT     : 8.1.00.295      16479 Bytes  09/04/2008 16:24:00
AVSCAN.EXE    : 8.1.2.12       311553 Bytes  18/04/2008 06:38:43
AVSCAN.DLL    : 8.1.1.0         53505 Bytes  18/04/2008 06:38:43
LUKE.DLL      : 8.1.2.9        151809 Bytes  18/04/2008 06:38:43
LUKERES.DLL   : 8.1.2.1         12033 Bytes  18/04/2008 06:38:43
ANTIVIR0.VDF  : 6.40.0.0     11030528 Bytes  18/07/2007 09:35:56
ANTIVIR1.VDF  : 7.0.3.2       5447168 Bytes  07/03/2008 16:19:36
ANTIVIR2.VDF  : 7.0.4.53      1848832 Bytes  17/05/2008 11:44:40
ANTIVIR3.VDF  : 7.0.4.54         2048 Bytes  17/05/2008 11:44:42
Engineversion : 8.1.0.46  
AEVDF.DLL     : 8.1.0.5        102772 Bytes  18/04/2008 06:38:43
AESCRIPT.DLL  : 8.1.0.33       266618 Bytes  16/05/2008 14:37:55
AESCN.DLL     : 8.1.0.18       119156 Bytes  16/05/2008 14:37:53
AERDL.DLL     : 8.1.0.20       418165 Bytes  26/04/2008 17:22:09
AEPACK.DLL    : 8.1.1.5        364918 Bytes  16/05/2008 14:37:52
AEOFFICE.DLL  : 8.1.0.18       192890 Bytes  19/04/2008 07:37:07
AEHEUR.DLL    : 8.1.0.29      1253750 Bytes  16/05/2008 14:37:49
AEHELP.DLL    : 8.1.0.14       115063 Bytes  19/04/2008 07:37:07
AEGEN.DLL     : 8.1.0.21       303477 Bytes  16/05/2008 14:37:40
AEEMU.DLL     : 8.1.0.6        430451 Bytes  08/05/2008 06:19:51
AECORE.DLL    : 8.1.0.29       168311 Bytes  16/05/2008 14:37:37
AVWINLL.DLL   : 1.0.0.7         14593 Bytes  18/04/2008 06:38:43
AVPREF.DLL    : 8.0.0.1         25857 Bytes  18/04/2008 06:38:43
AVREP.DLL     : 7.0.0.1        155688 Bytes  16/04/2007 12:16:24
AVREG.DLL     : 8.0.0.0         30977 Bytes  18/04/2008 06:38:43
AVARKT.DLL    : 1.0.0.23       307457 Bytes  18/04/2008 06:38:43
AVEVTLOG.DLL  : 8.0.0.11       114945 Bytes  18/04/2008 06:38:43
SQLITE3.DLL   : 3.3.17.1       339968 Bytes  18/04/2008 06:38:43
SMTPLIB.DLL   : 1.2.0.19        28929 Bytes  18/04/2008 06:38:43
NETNT.DLL     : 8.0.0.1          7937 Bytes  18/04/2008 06:38:43
RCIMAGE.DLL   : 8.0.0.35      2371841 Bytes  18/04/2008 06:38:38
RCTEXT.DLL    : 8.0.32.0        86273 Bytes  18/04/2008 06:38:38

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high

Start of the scan: 2008-05-18  13:17

Starting search for hidden objects.
'47811' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'sistray.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'dslmon.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'LVComS.exe' - '1' Module(s) have been scanned
Scan process 'StartMessager.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'CDANTSRV.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
      [INFO]      No virus was found!

Starting to scan the registry.
The registry was scanned ( '29' files ).


Starting the file scan:

Begin scan in 'C:\' <System>
C:\hiberfil.sys
      [WARNING]   The file could not be opened!
C:\pagefile.sys
      [WARNING]   The file could not be opened!


End of the scan: 2008-05-18  14:02
Used time: 45:21 min

The scan has been done completely.

   4805 Scanning directories
 152103 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      2 Files cannot be scanned
 152103 Files not concerned
   7255 Archives were scanned
      2 Warnings
      0 Notes
  47811 Objects were scanned with rootkit scan
      0 Hidden objects were found

Que faut-il faire ? merci

gandalf · Answer

Ouf !!!!!!! Merci beaucoup à tous ceux qui ont pris de leur temps pour m'aider à résoudre ce problème : je n'y serais jamais arrivé tout seul !!!!!
Encore merci !!!!!

gil le fantom · Answer

pour supprimer les outils de désinfections
Télécharge ToolsCleaner de A.Roshtein sur ton Bureau.(sur un des 2 liens) 
http://pagesperso-orange.fr/AceRothstein/ToolsCleaner2.exe 
http://a-rothstein.changelog.fr/TC/ToolsCleaner2.exe 
· Clique sur Recherche et laisse le scan se terminer. 
· Clique, sur Suppression pour finaliser. 
· Tu peux, si tu le souhaites, te servir des Options facultatives. 
· Clique sur Quitter, pour que le rapport puisse se créer. 
· Poste moi le rapport (TCleaner.txt) qui se trouve à la racine de ton disque dur( C:\).

gandalf · Answer

Voilà, je t'envoie le rapport de toolscleaner:
-->- Recherche: 

C:\Vundofix backups: trouvé !
C:\Qoobox: trouvé !
C:\Documents and Settings\BUT\Recent\MSNFix.lnk: trouvé !
C:\Program Files\Navilog1: trouvé !
C:\Program Files\Trend Micro\HijackThis: trouvé !
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: trouvé !

---------------------------------
-->- Suppression: 

C:\Documents and Settings\BUT\Recent\MSNFix.lnk: supprimé !
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: supprimé !
C:\Vundofix backups: supprimé !
C:\Qoobox: supprimé !
C:\Program Files\Navilog1: supprimé !
C:\Program Files\Trend Micro\HijackThis: supprimé !

Restauration annulée !
Corbeille vidée!
Fichiers temporaires nettoyés !

Peux-tu me confirmer que tout est vraiment bon ?
En tous les cas, encore merci à vous tous pour votre aide, heureusement que vous êtes là !
PS : si tout est bon, comment faire afin d'indiquer que mon problème est résolu (cela pourra aider les autres)

MERCI BEAUCOUP !!!!

gil le fantom · Answer

tout va bien,il faut que tu t'inscrit comme membre de ccm(gratuit) pour mètre résolu
vient nous rejoindre dans notre communauté 

bon dimanche

Infection par Vundo.GT

28 réponses

Discussions similaires