Infection Vundo [Résolu]

marijo11 · Message par **marijo11** » 14 août 2008, 17:21

Bonjour,

C'est chantal11 qui envoie ce message pour une amie infectée par Vundo.
En début d'après-midi, le PC ne démarrait plus et aboutissait à un écran bleu.
Ce côté-là a été réglé par une réparation par mon DVD d'installation de Vista, et Vista veut bien maintenant s'ouvrir, mais a perdu des fonctionnalités : on ne peut plus ouvrir le panneau de configuration, plus de CHKDSK ...........

Protection du système : Bit Défender et Windows Défender.
J'ai fait un passage de Malwarebytes, voici les rapports :

1er rapport Hijackthis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:52:59, on 14/08/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Club-Internet\Lanceur\lanceur.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-internet.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SBI] C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PC9ERMO\setup_sbd_fr[1].exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: Club Internet.lnk = C:\Program Files\Club-Internet\Lanceur\lanceur.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6866 bytes

Passage de Malwarebytes en mode sans échec:
Malwarebytes' Anti-Malware 1.24
Version de la base de données: 1052
Windows 6.0.6000

16:53:49 14/08/2008
mbam-log-8-14-2008 (16-53-49).txt

Type de recherche: Examen complet (C:\|)
Eléments examinés: 113206
Temps écoulé: 18 minute(s), 56 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 5
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 4
Fichier(s) infecté(s): 78

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
C:\Program Files\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\ProgramData\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\ProgramData\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
C:\Program Files\VAV\vav.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PC9ERMO\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PC9ERMO\kb767887[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E3J8P9MD\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E3J8P9MD\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RKYUWEQ8\AV2009Install_77052209[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RKYUWEQ8\kb767887[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\bnafupxk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\jmxgjthl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\mxcsyqfc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\npnqiica.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\opnmJDTJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\rinrtssd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\ssqNExUl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000690e (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006ac3 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006b20 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006c2a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006c97 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006cd5 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006ce5 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006d23 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006d42 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006d71 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006da0 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006ef7 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006f07 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006f64 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00006fa3 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000708d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp000071b5 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00007242 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00007270 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp000072de (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00007492 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000750f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000756d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp000075da (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000778f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000782b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00007924 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00007b66 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00007c02 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00007c7f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp000081fb (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp000082a6 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00008371 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00008526 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000861f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000865e (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00008738 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp000087f3 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000893b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00008a15 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00008a73 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00008bca (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00008fd0 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000924f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000927e (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp000095a9 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00009913 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00009b93 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00009e22 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00009eed (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000abd8 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000ad00 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000af9f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000bb62 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp0000e291 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00015d8a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp00016c0a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\tmp000188ce (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\wvUoOHAR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\vav.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav0.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav1.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\ProgramData\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Users\Marie-José\AppData\Local\Temp\media.php (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Nettoyage avec CCleaner (fonction nettoyeur)

2nd rapport Hijackthis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:05:28, on 14/08/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Club-Internet\Lanceur\lanceur.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-internet.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SBI] C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PC9ERMO\setup_sbd_fr[1].exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: Club Internet.lnk = C:\Program Files\Club-Internet\Lanceur\lanceur.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6863 bytes

Marijo11 attend vos instructions,

Merci beaucoup,

de l'Aude

bernard53 · Message par **bernard53** » 14 août 2008, 17:56

bonjour

bon 90% du travail bien fait.

Relance HijackThis > Do a system scan only > coche ces lignes: ensuite valides sur [g]Fix checked[/g]
O4 - HKLM\..\Run: [SBI] C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PC9ERMO\setup_sbd_fr[1].exe

Ensuite :

Télécharge OTMoveIt (d’Old_Timer) sur ton Bureau.
http://download.bleepingcomputer.com/ol ... oveIt2.exe

Double-clique sur OTMoveIt.exe pour le lancer.
Copie la liste qui se trouve en citation ci-dessous dans la fenêtre selon image ci jointe.

O4 - HKLM\..\Run: [SBI] C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PC9ERMO

EmptyTemp

Clique sur MoveIt! Pour lancer la suppression.
Le résultat apparaitra dans le cadre Results.
Clique sur Exit pour fermer.
Poste le rapport situé dansC:\_OTMoveIt\MovedFiles.Exemple:(01282008_131348.log )

Il te sera peut-être demander de redémarrer le pc pour achever la suppression.
Si c'est le cas accepte par Yes.

Maintenant comment ce comporte ton pc

marijo11 · Message par **marijo11** » 14 août 2008, 23:22

bonsoir,

voici le rapport OTMovelt,
< O4 - HKLM\..\Run: [SBI] C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PC9ERMO >
File/Folder O4 - HKLM\..\Run: [SBI] C:\Users\Marie-José\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1PC9ERMO not found.
File/Folder not found.
< EmptyTemp >
File delete failed. C:\Users\MARIE-~1\AppData\Local\Temp\~DF1E6B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\MARIE-~1\AppData\Local\Temp\~DF1E82.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\MARIE-~1\AppData\Local\Temp\~DF33AB.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\MARIE-~1\AppData\Local\Temp\~DF5647.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08142008_230635
je te remercie et que faut il faire maintenant?

bernard53 · Message par **bernard53** » 15 août 2008, 09:22

bon dis moi comment vas ton pc

marijo11 · Message par **marijo11** » 15 août 2008, 17:37

Bonjour,

Ce matin lorsque j'ai allumé le PC, il a planté et a bouté
il faut que je passe par le mode sans échec pour ouvrir le PC mais avec plusieurs tentatives...
l'écran bleu apparait encore mais rapidement sans pouvoir le lire et il y a moins de texte ...
que faut il faire?
avec mes remerciements

de l'Aude

MARIJO11

bernard53 · Message par **bernard53** » 15 août 2008, 17:46

fait ceci pour vérifier que tu n'as pas d'autres intrus sur ton pc.

Télécharge GenProc de (Narco4 & jean-chretien1) sur ton Bureau.
Dé zippe le dossier: clic droit dessus > Extraire ici ou Tout Extrait.
Ouvre le dossier jaune GenProc sur ton Bureau > double-clique sur GenProc.bat :

Suis les instructions ...
Poste ici le rapport qui sera généré.
Le rapport est sauvegardé à la racine du disque C « GenProc.txt »

Téléchargement :
http://www.alt-shift-return.org/Info/Fi ... enProc.zip

TUTO: Genproc

marijo11 · Message par **marijo11** » 15 août 2008, 17:59

Salut,

Je te remercie pour le dépannage, mais les instructions sont bloquées à GenProc Bat , sais tu pourquoi?

Marijo11

bernard53 · Message par **bernard53** » 15 août 2008, 18:05

OK fait ceci .

UAC désactivé
<<Désactiver l’UAC de VISTA>>

On réactiveras ceci a la fin

Message par **chantal11** » 18 août 2008, 13:42

Bonjour Bernard53,

Je vais chez Marijo demain, j'essaierais de reprendre la procédure indiquée........... quand j'aurai réussi à faire redémarrer ce PC récalcitrant

bernard53 · Message par **bernard53** » 18 août 2008, 13:49

bonjour

Ok çà marche chantal11

marijo11 · Message par **marijo11** » 19 août 2008, 14:42

Bonjour,

Réussi à faire repartir la "bête" en mode sans échec avec prise en charge du réseau.

J'ai exécuté GenProc qui m'a fait télécharger rustbfix.exe que j'ai exécuté :

Voici le rapport :
************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
19/08/2008 14:36:39,64

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

Je pense que de ce côté-là tout va bien, non ?

Mais le PC va très mal, alors maintenant, à part l'asperger d'une giclée de Javel, qu'est-ce qu'on fait ?????

Je vais refaire un Hijackthis pour voir et je poste le rapport.

Chantal11

marijo11 · Message par **marijo11** » 19 août 2008, 15:07

Bonjour,

Voici le rapport Hijackthis, fait en mode sans échec, je ne peux pas en mode normal :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:06:14, on 19/08/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-internet.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: Club Internet.lnk = C:\Program Files\Club-Internet\Lanceur\lanceur.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6179 bytes

bernard53 · Message par **bernard53** » 19 août 2008, 16:14

bon dans l'immédiat le rapport est propre mais voila on ne voit pas tout vu que tu ne peux le faire en mode normal

ensuite une vérification du disque s'impose, et une réparation a l'aide du DVD aussi je pense.

Mais avant, pour ton démarrage qui ne veux pas se faire en mode normal voir dans onglet démarrage de msconfig comment celui ci est valider.

voici pour moi.
Onglet démarrage: Démarrage normal

ceci pour être très pratique aussi.

Avec le DVD "Vista" démarré sur Outils de dépannage et de diagnostic :

Message par **chantal11** » 19 août 2008, 16:30

Bonjour,

Pour le moment, plus rien ne fonctionne, je te réponds de mon portable.
Le DVD de Vista ne répare pas, sfc /scannow bloque à 30%, puis plus rien, la carte graphique Nvidia avait été désinstallée par l'opération du St-Esprit

et là plus rien ne redémarre................... si vous voyez passer un PC dans les airs, c'est celui de Marijo

J'essaye de continuer !!!!

Merci,

@+

bernard53 · Message par **bernard53** » 19 août 2008, 16:37

Il y a t'il que la carte graphique ou une intégrée

Si oui, as tu essayer chantal de redémarrer sans cette carte.

Tout cela pour procéder par élimination de périphériques.

Forum-vista : Entraide et dépannage Windows Vista et Windows Seven

Infection Vundo [Résolu]

Infection Vundo [Résolu]

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo

Re: Infection Vundo