probleme virtumonde...
Forum Sécurité - Virus : probleme virtumonde...
bonjour a tous,
je suis infecté par le vturq.dll et je n'arrive pas a m'en débarassé... je galere depuis 2h maintenant... aidez-moi sil vous plait!!!!!!
voici mon rapport hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 18:52:19, on 22/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-internet.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3990D48E-3888-4A96-8D1B-0B30CED65FF7} - C:\WINDOWS\system32\vturq.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\wvuvwxw.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Club Internet.lnk = C:\Program Files\Club-Internet\Lanceur\lanceur.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE9C0B9-95AC-4FBA-992A-F92E91C62B3E}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{8903E0E4-C40D-498C-BF62-BBADAD901B6D}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3AF6DB8-858A-4BC5-A1BE-F9B453F1F153}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{C643A6EA-6AA4-4AE4-93F7-142C0C1AD407}: NameServer = 85.255.114.88,85.255.112.72
O20 - Winlogon Notify: vturq - C:\WINDOWS\system32\vturq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: wvuvwxw - C:\WINDOWS\SYSTEM32\wvuvwxw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)
Bonsoir
Plusieurs infections
$$ Télécharge VundoFix.exe (par Atribune) sur ton Bureau.
http://www.atribune.org/ccount/click.php?id=4
* Double-clique VundoFix.exe afin de le lancer.
* Coche Run VundoFix as a task.
* Un message t'avertira que l'outil va se fermer et s'ouvrir à nouveau : clique Ok
* Clique sur le bouton Scan for Vundo.
* Lorsque le scan est complété, clique sur le bouton Remove Vundo.
* Une invite te demandera si tu veux supprimer les fichiers, clique YES
* Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers.
* Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown" ); clique OK
* Démarre ton PC à nouveau.
$$ Télécharge FixWareout de l'un de ces deux liens :
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/fi [...] areout.exe
Sauvegarde-le sur ton Bureau, puis lance-le.
Clique Next, puis Install, et assure-toi que "Run fixit" soit coché, puis clique Finish.
Suis les directives à l'écran.
L'outil va te demander de redémarrer ton PC; fais-le s'il te plaît.
Le redémarrage risque de prendre un peu plus de temps; ceci est normal.
Lorsque redémarré, un fichier texte apparaîtra (report.txt); copie/colle ce rapport dans ta prochaine réponse, avec un nouveau rapport HijackThis! et le contenu du rapport situé dans C:\vundofix.txt
voici le rapport vundofix:
VundoFix V5.1.4
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Scan started at 17:46:22 22/07/2006
Listing files found while scanning....
C:\WINDOWS\system32\Drivers\DP.sys
Beginning removal...
The process smss.exe was successfully stopped
The process winlogon.exe could not be stopped
Vundofix may not be able to delete some files that were found.
The process explorer.exe was successfully stopped
The process iexplore.exe was successfully stopped
The process rundll32.exe was successfully stopped
Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V5.1.4
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Scan started at 18:23:06 22/07/2006
Listing files found while scanning....
No infected files were found.
VundoFix V5.1.4
Checking Java version...
Scan started at 20:55:52 22/07/2006
Listing files found while scanning....
No infected files were found.
VundoFix V5.1.4
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Scan started at 21:24:04 22/07/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V5.1.4
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Scan started at 23:37:12 22/07/2006
Listing files found while scanning....
No infected files were found.
et le hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 23:43:09, on 22/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\wvuvwxw.dll
O2 - BHO: (no name) - {D681D35F-1893-4CA1-AE92-6D5A822524E6} - C:\WINDOWS\system32\vturq.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: vturq - C:\WINDOWS\system32\vturq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: wvuvwxw - C:\WINDOWS\SYSTEM32\wvuvwxw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe (file missing)
et le dernier. merci pour ton aide!!
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\wvlmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93F71F807926-1B58-8114-4BB3-15D70900{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ckbbj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
Re
Il manque le rapport de FixWareout. --> Non, il est là :-o
Pour Vundo, les fichiers résistent.
Télécharge VirtumundoBegone sur le bureau:
http://secured2k.home.comcast.net/ [...] BeGone.exe
Double clique ensuite sur VirtumundoBeGone.exe et suis les instructions.
Une fois terminé, redémarre et poste le rapport VBG.TXT créé sur le bureau dans ta prochaine réponse avec un nouveau rapport HijackThis.
Ne t'inquiète pas si tu vois un message Ecran bleu "Erreur fatale", c'est normal et attendu.
[07/22/2006, 17:23:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matthieu Picault\Bureau\VirtumundoBeGone.exe" )
[07/22/2006, 17:23:58] - Detected System Information:
[07/22/2006, 17:23:58] - Windows Version: 5.1.2600, Service Pack 2
[07/22/2006, 17:23:58] - Current Username: Matthieu Picault (Admin)
[07/22/2006, 17:23:58] - Windows is in NORMAL mode.
[07/22/2006, 17:23:58] - Searching for Browser Helper Objects:
[07/22/2006, 17:23:58] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 17:23:58] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/22/2006, 17:23:58] - BHO 3: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[07/22/2006, 17:23:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 17:23:58] - Checking for HKLM\...\Winlogon\Notify\wvuvwxw
[07/22/2006, 17:23:58] - Found: HKLM\...\Winlogon\Notify\wvuvwxw - This is probably Virtumundo.
[07/22/2006, 17:23:58] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object
[07/22/2006, 17:23:58] - BHO list has been changed! Starting over...
[07/22/2006, 17:23:58] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 17:23:58] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/22/2006, 17:23:58] - BHO 3: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 17:23:58] - ALERT: Found MSEvents Object!
[07/22/2006, 17:23:58] - BHO 4: {7CEF86A8-5927-4157-8E93-88658638D56C} ()
[07/22/2006, 17:23:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 17:23:58] - Checking for HKLM\...\Winlogon\Notify\vturq
[07/22/2006, 17:23:58] - Found: HKLM\...\Winlogon\Notify\vturq - This is probably Virtumundo.
[07/22/2006, 17:23:58] - Assigning {7CEF86A8-5927-4157-8E93-88658638D56C} MSEvents Object
[07/22/2006, 17:23:58] - BHO list has been changed! Starting over...
[07/22/2006, 17:23:58] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 17:23:58] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/22/2006, 17:23:58] - BHO 3: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 17:23:58] - ALERT: Found MSEvents Object!
[07/22/2006, 17:23:58] - BHO 4: {7CEF86A8-5927-4157-8E93-88658638D56C} (MSEvents Object)
[07/22/2006, 17:23:58] - ALERT: Found MSEvents Object!
[07/22/2006, 17:23:58] - Finished Searching Browser Helper Objects
[07/22/2006, 17:23:58] - *** Detected MSEvents Object
[07/22/2006, 17:23:58] - Trying to remove MSEvents Object...
[07/22/2006, 17:23:59] - Terminating Process: IEXPLORE.EXE
[07/22/2006, 17:24:00] - Terminating Process: RUNDLL32.EXE
[07/22/2006, 17:24:00] - Disabling Automatic Shell Restart
[07/22/2006, 17:24:00] - Terminating Process: EXPLORER.EXE
[07/22/2006, 17:24:01] - Suspending the NT Session Manager System Service
[07/22/2006, 17:24:01] - Terminating Windows NT Logon/Logoff Manager
[07/22/2006, 18:27:04] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matthieu Picault\Bureau\VirtumundoBeGone.exe" )
[07/22/2006, 18:27:18] - Detected System Information:
[07/22/2006, 18:27:18] - Windows Version: 5.1.2600, Service Pack 2
[07/22/2006, 18:27:18] - Current Username: Matthieu Picault (Admin)
[07/22/2006, 18:27:18] - Windows is in NORMAL mode.
[07/22/2006, 18:27:18] - Searching for Browser Helper Objects:
[07/22/2006, 18:27:18] - BHO 1: {064088F0-D1A8-4150-BF7A-C0E56D8A2772} ()
[07/22/2006, 18:27:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 18:27:18] - Checking for HKLM\...\Winlogon\Notify\vturq
[07/22/2006, 18:27:18] - Found: HKLM\...\Winlogon\Notify\vturq - This is probably Virtumundo.
[07/22/2006, 18:27:18] - Assigning {064088F0-D1A8-4150-BF7A-C0E56D8A2772} MSEvents Object
[07/22/2006, 18:27:18] - BHO list has been changed! Starting over...
[07/22/2006, 18:27:18] - BHO 1: {064088F0-D1A8-4150-BF7A-C0E56D8A2772} (MSEvents Object)
[07/22/2006, 18:27:18] - ALERT: Found MSEvents Object!
[07/22/2006, 18:27:18] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 18:27:18] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/22/2006, 18:27:18] - BHO 4: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 18:27:18] - ALERT: Found MSEvents Object!
[07/22/2006, 18:27:18] - Finished Searching Browser Helper Objects
[07/22/2006, 18:27:18] - *** Detected MSEvents Object
[07/22/2006, 18:27:18] - Trying to remove MSEvents Object...
[07/22/2006, 18:27:19] - Terminating Process: IEXPLORE.EXE
[07/22/2006, 18:27:20] - Terminating Process: RUNDLL32.EXE
[07/22/2006, 18:27:20] - Disabling Automatic Shell Restart
[07/22/2006, 18:27:20] - Terminating Process: EXPLORER.EXE
[07/22/2006, 18:27:20] - Suspending the NT Session Manager System Service
[07/22/2006, 18:27:20] - Terminating Windows NT Logon/Logoff Manager
[07/22/2006, 18:36:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matthieu Picault\Bureau\VirtumundoBeGone.exe" )
[07/22/2006, 18:36:50] - Detected System Information:
[07/22/2006, 18:36:50] - Windows Version: 5.1.2600, Service Pack 2
[07/22/2006, 18:36:50] - Current Username: Matthieu Picault (Admin)
[07/22/2006, 18:36:50] - Windows is in NORMAL mode.
[07/22/2006, 18:36:50] - Searching for Browser Helper Objects:
[07/22/2006, 18:36:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 18:36:50] - BHO 2: {20D12E6C-CC92-4CD5-B620-C7F585660DEC} ()
[07/22/2006, 18:36:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 18:36:50] - Checking for HKLM\...\Winlogon\Notify\vturq
[07/22/2006, 18:36:50] - Found: HKLM\...\Winlogon\Notify\vturq - This is probably Virtumundo.
[07/22/2006, 18:36:50] - Assigning {20D12E6C-CC92-4CD5-B620-C7F585660DEC} MSEvents Object
[07/22/2006, 18:36:51] - BHO list has been changed! Starting over...
[07/22/2006, 18:36:51] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 18:36:51] - BHO 2: {20D12E6C-CC92-4CD5-B620-C7F585660DEC} (MSEvents Object)
[07/22/2006, 18:36:51] - ALERT: Found MSEvents Object!
[07/22/2006, 18:36:51] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/22/2006, 18:36:51] - BHO 4: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 18:36:51] - ALERT: Found MSEvents Object!
[07/22/2006, 18:36:51] - Finished Searching Browser Helper Objects
[07/22/2006, 18:36:51] - *** Detected MSEvents Object
[07/22/2006, 18:36:51] - Trying to remove MSEvents Object...
[07/22/2006, 18:36:52] - Terminating Process: IEXPLORE.EXE
[07/22/2006, 18:36:52] - Terminating Process: RUNDLL32.EXE
[07/22/2006, 18:36:52] - Disabling Automatic Shell Restart
[07/22/2006, 18:36:52] - Terminating Process: EXPLORER.EXE
[07/22/2006, 18:36:53] - Suspending the NT Session Manager System Service
[07/22/2006, 18:36:53] - Terminating Windows NT Logon/Logoff Manager
[07/22/2006, 20:42:45] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matthieu Picault\Bureau\VirtumundoBeGone.exe" )
[07/22/2006, 20:42:46] - Detected System Information:
[07/22/2006, 20:42:46] - Windows Version: 5.1.2600, Service Pack 2
[07/22/2006, 20:42:46] - Current Username: Administrateur (Admin)
[07/22/2006, 20:42:46] - Windows is in SAFE mode with Networking.
[07/22/2006, 20:42:46] - Searching for Browser Helper Objects:
[07/22/2006, 20:42:46] - BHO 1: {041D2B3B-5F80-4A2C-BBEC-AD082E14D2A2} ()
[07/22/2006, 20:42:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 20:42:46] - Checking for HKLM\...\Winlogon\Notify\vturq
[07/22/2006, 20:42:46] - Found: HKLM\...\Winlogon\Notify\vturq - This is probably Virtumundo.
[07/22/2006, 20:42:46] - Assigning {041D2B3B-5F80-4A2C-BBEC-AD082E14D2A2} MSEvents Object
[07/22/2006, 20:42:46] - BHO list has been changed! Starting over...
[07/22/2006, 20:42:46] - BHO 1: {041D2B3B-5F80-4A2C-BBEC-AD082E14D2A2} (MSEvents Object)
[07/22/2006, 20:42:46] - ALERT: Found MSEvents Object!
[07/22/2006, 20:42:46] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 20:42:46] - BHO 3: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[07/22/2006, 20:42:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 20:42:46] - Checking for HKLM\...\Winlogon\Notify\wvuvwxw
[07/22/2006, 20:42:46] - Found: HKLM\...\Winlogon\Notify\wvuvwxw - This is probably Virtumundo.
[07/22/2006, 20:42:46] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object
[07/22/2006, 20:42:46] - BHO list has been changed! Starting over...
[07/22/2006, 20:42:46] - BHO 1: {041D2B3B-5F80-4A2C-BBEC-AD082E14D2A2} (MSEvents Object)
[07/22/2006, 20:42:46] - ALERT: Found MSEvents Object!
[07/22/2006, 20:42:46] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 20:42:46] - BHO 3: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 20:42:46] - ALERT: Found MSEvents Object!
[07/22/2006, 20:42:46] - Finished Searching Browser Helper Objects
[07/22/2006, 20:42:46] - *** Detected MSEvents Object
[07/22/2006, 20:42:46] - Trying to remove MSEvents Object...
[07/22/2006, 20:42:47] - Terminating Process: IEXPLORE.EXE
[07/22/2006, 20:42:48] - Terminating Process: RUNDLL32.EXE
[07/22/2006, 20:42:48] - Disabling Automatic Shell Restart
[07/22/2006, 20:42:48] - Terminating Process: EXPLORER.EXE
[07/22/2006, 20:42:48] - Suspending the NT Session Manager System Service
[07/22/2006, 20:42:48] - Terminating Windows NT Logon/Logoff Manager
[07/22/2006, 21:11:22] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matthieu Picault\Bureau\VirtumundoBeGone.exe" )
[07/22/2006, 21:11:24] - Detected System Information:
[07/22/2006, 21:11:24] - Windows Version: 5.1.2600, Service Pack 2
[07/22/2006, 21:11:24] - Current Username: Administrateur (Admin)
[07/22/2006, 21:11:24] - Windows is in SAFE mode with Networking.
[07/22/2006, 21:11:24] - Searching for Browser Helper Objects:
[07/22/2006, 21:11:24] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 21:11:24] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 21:11:24] - ALERT: Found MSEvents Object!
[07/22/2006, 21:11:24] - BHO 3: {BC4413A6-1D12-4019-BE59-C0937E5E8854} ()
[07/22/2006, 21:11:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 21:11:24] - Checking for HKLM\...\Winlogon\Notify\vturq
[07/22/2006, 21:11:24] - Found: HKLM\...\Winlogon\Notify\vturq - This is probably Virtumundo.
[07/22/2006, 21:11:24] - Assigning {BC4413A6-1D12-4019-BE59-C0937E5E8854} MSEvents Object
[07/22/2006, 21:11:24] - BHO list has been changed! Starting over...
[07/22/2006, 21:11:24] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 21:11:24] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 21:11:24] - ALERT: Found MSEvents Object!
[07/22/2006, 21:11:24] - BHO 3: {BC4413A6-1D12-4019-BE59-C0937E5E8854} (MSEvents Object)
[07/22/2006, 21:11:24] - ALERT: Found MSEvents Object!
[07/22/2006, 21:11:24] - Finished Searching Browser Helper Objects
[07/22/2006, 21:11:24] - *** Detected MSEvents Object
[07/22/2006, 21:11:24] - Trying to remove MSEvents Object...
[07/22/2006, 21:11:25] - Terminating Process: IEXPLORE.EXE
[07/22/2006, 21:11:25] - Terminating Process: RUNDLL32.EXE
[07/22/2006, 21:11:25] - Disabling Automatic Shell Restart
[07/22/2006, 21:11:25] - Terminating Process: EXPLORER.EXE
[07/22/2006, 21:11:26] - Suspending the NT Session Manager System Service
[07/22/2006, 21:11:26] - Terminating Windows NT Logon/Logoff Manager
[07/22/2006, 23:56:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matthieu Picault\Bureau\VirtumundoBeGone.exe" )
[07/22/2006, 23:56:16] - Detected System Information:
[07/22/2006, 23:56:16] - Windows Version: 5.1.2600, Service Pack 2
[07/22/2006, 23:56:16] - Current Username: Matthieu Picault (Admin)
[07/22/2006, 23:56:16] - Windows is in NORMAL mode.
[07/22/2006, 23:56:16] - Searching for Browser Helper Objects:
[07/22/2006, 23:56:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 23:56:16] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[07/22/2006, 23:56:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 23:56:16] - Checking for HKLM\...\Winlogon\Notify\wvuvwxw
[07/22/2006, 23:56:16] - Found: HKLM\...\Winlogon\Notify\wvuvwxw - This is probably Virtumundo.
[07/22/2006, 23:56:16] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object
[07/22/2006, 23:56:16] - BHO list has been changed! Starting over...
[07/22/2006, 23:56:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 23:56:16] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 23:56:16] - ALERT: Found MSEvents Object!
[07/22/2006, 23:56:16] - BHO 3: {D681D35F-1893-4CA1-AE92-6D5A822524E6} ()
[07/22/2006, 23:56:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2006, 23:56:16] - Checking for HKLM\...\Winlogon\Notify\vturq
[07/22/2006, 23:56:16] - Found: HKLM\...\Winlogon\Notify\vturq - This is probably Virtumundo.
[07/22/2006, 23:56:16] - Assigning {D681D35F-1893-4CA1-AE92-6D5A822524E6} MSEvents Object
[07/22/2006, 23:56:16] - BHO list has been changed! Starting over...
[07/22/2006, 23:56:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/22/2006, 23:56:16] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[07/22/2006, 23:56:16] - ALERT: Found MSEvents Object!
[07/22/2006, 23:56:16] - BHO 3: {D681D35F-1893-4CA1-AE92-6D5A822524E6} (MSEvents Object)
[07/22/2006, 23:56:16] - ALERT: Found MSEvents Object!
[07/22/2006, 23:56:16] - Finished Searching Browser Helper Objects
[07/22/2006, 23:56:16] - *** Detected MSEvents Object
[07/22/2006, 23:56:16] - Trying to remove MSEvents Object...
[07/22/2006, 23:56:17] - Terminating Process: IEXPLORE.EXE
[07/22/2006, 23:56:17] - Terminating Process: RUNDLL32.EXE
[07/22/2006, 23:56:17] - Disabling Automatic Shell Restart
[07/22/2006, 23:56:17] - Terminating Process: EXPLORER.EXE
[07/22/2006, 23:56:17] - Suspending the NT Session Manager System Service
[07/22/2006, 23:56:17] - Terminating Windows NT Logon/Logoff Manager
comme tu peux le constater javais déja essayé mais il plante toujours a la meme étape: mon ordi ne fait plus rien, le HDD ne travail meme pas... et je peux le laisser comme ca longtempq sans que rien ne se passe (jai essayé pendant 5min)... :-(
On change.
1. Télécharger The Avenger par Swandog46 sur votre Bureau
http://swandog46.geekstogo.com/avenger.zip
- Click sur Avenger.zip pour ouvrir le fichier
- Extraire avenger.exe sur votre bureau
2. Copier tout le texte ci-dessous : mettre en surbrillance et appuyer sur les touches(Ctrl+C):
Files to delete:
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\SYSTEM32\wvuvwxw.dll
C:\WINDOWS\system32\qrutv.bak
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.bak2
C:\WINDOWS\SYSTEM32\qrutv.ini
C:\WINDOWS\system32\qrutv.ini1
C:\WINDOWS\system32\qrutv.ini2
C:\WINDOWS\SYSTEM32\qrutv.tmp
C:\WINDOWS\system32\wxwvuvw.bak
C:\WINDOWS\system32\wxwvuvw.bak1
C:\WINDOWS\system32\wxwvuvw.bak2
C:\WINDOWS\SYSTEM32\wxwvuvw.ini
C:\WINDOWS\system32\wxwvuvw.ini1
C:\WINDOWS\system32\wxwvuvw.ini2
C:\WINDOWS\SYSTEM32\wxwvuvw.tmp
IMPORTANT: Le code ci-dessus a été intentionnellement rédigé pour CET utilisateur.
si vous n'êtes pas CET utilisateur, NE PAS appliquer ces directives : elles pourraient endommager votre système.[/i]
3. Maintenant, lancer The Avenger en cliquant sur son icône du bureau.
- Sous "Script file to execute" choisir "Input Script Manually".
- Puis cliquer sur l'icône en forme de loupe qui va ouvrir une nouvelle fenêtre "View/edit script"
- Dans cette fenêtre, coller le texte précedemment copié sur le bureau par les touches (Ctrl+V).
- Cliquer Done
- ensuite cliquer sur l'icône en forme de Feu Vert pour démarrer l'exécution du script
- Répondre "Yes" deux fois quand demandé.
4. The Avenger va automatiquement faire ce qui suit:
- Il va Re-démarrer le système.
- Pendant le re-démarrage, il apparaitra brièvement une fenêtre de commande de windows noire sur votre bureau, ceci est NORMAL.
- Après le re-démarrage, il crée un fichier log qui s'ouvrira, faisant apparaitre les actions exécutées par The Avenger. Ce fichier log se trouve ici : C:\avenger.txt
- The Avenger aura également sauvegardé tous les fichiers, etc., que vous lui avez demandé de supprimer, les aura compactés (zipped) et tranféré l'archive zip ici C:\avenger\backup.zip.
5. Pour finir copier/coller le contenu du ficher c:\avenger.txt dans votre réponse avec un nouveau log HijackThis en utilisant REPONDRE
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gxthhgwn
*******************
Script file located at: \??\C:\WINDOWS\system32\pensowbh.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\vturq.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\wvuvwxw.dll deleted successfully.
File C:\WINDOWS\system32\qrutv.bak not found!
Deletion of file C:\WINDOWS\system32\qrutv.bak failed!
Could not process line:
C:\WINDOWS\system32\qrutv.bak
Status: 0xc0000034
File C:\WINDOWS\system32\qrutv.bak1 deleted successfully.
File C:\WINDOWS\system32\qrutv.bak2 deleted successfully.
File C:\WINDOWS\SYSTEM32\qrutv.ini deleted successfully.
File C:\WINDOWS\system32\qrutv.ini1 not found!
Deletion of file C:\WINDOWS\system32\qrutv.ini1 failed!
Could not process line:
C:\WINDOWS\system32\qrutv.ini1
Status: 0xc0000034
File C:\WINDOWS\system32\qrutv.ini2 not found!
Deletion of file C:\WINDOWS\system32\qrutv.ini2 failed!
Could not process line:
C:\WINDOWS\system32\qrutv.ini2
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\qrutv.tmp not found!
Deletion of file C:\WINDOWS\SYSTEM32\qrutv.tmp failed!
Could not process line:
C:\WINDOWS\SYSTEM32\qrutv.tmp
Status: 0xc0000034
File C:\WINDOWS\system32\wxwvuvw.bak not found!
Deletion of file C:\WINDOWS\system32\wxwvuvw.bak failed!
Could not process line:
C:\WINDOWS\system32\wxwvuvw.bak
Status: 0xc0000034
File C:\WINDOWS\system32\wxwvuvw.bak1 not found!
Deletion of file C:\WINDOWS\system32\wxwvuvw.bak1 failed!
Could not process line:
C:\WINDOWS\system32\wxwvuvw.bak1
Status: 0xc0000034
File C:\WINDOWS\system32\wxwvuvw.bak2 not found!
Deletion of file C:\WINDOWS\system32\wxwvuvw.bak2 failed!
Could not process line:
C:\WINDOWS\system32\wxwvuvw.bak2
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\wxwvuvw.ini not found!
Deletion of file C:\WINDOWS\SYSTEM32\wxwvuvw.ini failed!
Could not process line:
C:\WINDOWS\SYSTEM32\wxwvuvw.ini
Status: 0xc0000034
File C:\WINDOWS\system32\wxwvuvw.ini1 not found!
Deletion of file C:\WINDOWS\system32\wxwvuvw.ini1 failed!
Could not process line:
C:\WINDOWS\system32\wxwvuvw.ini1
Status: 0xc0000034
File C:\WINDOWS\system32\wxwvuvw.ini2 not found!
Deletion of file C:\WINDOWS\system32\wxwvuvw.ini2 failed!
Could not process line:
C:\WINDOWS\system32\wxwvuvw.ini2
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\wxwvuvw.tmp not found!
Deletion of file C:\WINDOWS\SYSTEM32\wxwvuvw.tmp failed!
Could not process line:
C:\WINDOWS\SYSTEM32\wxwvuvw.tmp
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Et voici le hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 00:48:42, on 23/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\wvuvwxw.dll (file missing)
O2 - BHO: (no name) - {C6A67436-B135-49CF-9BCA-3B7305E5961A} - C:\WINDOWS\system32\vturq.dll (file missing)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: vturq - C:\WINDOWS\system32\vturq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: wvuvwxw - wvuvwxw.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe (file missing)
merci de ton aide, merci beaucoup!!!!
Relance un scan HijackThis et coche les lignes ci-dessous :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\wvuvwxw.dll (file missing)
O2 - BHO: (no name) - {C6A67436-B135-49CF-9BCA-3B7305E5961A} - C:\WINDOWS\system32\vturq.dll (file missing)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: vturq - C:\WINDOWS\system32\vturq.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: wvuvwxw - wvuvwxw.dll (file missing)
Ferme toutes les fenêtres Windows, Internet explorer, Outlook,sauf le logiciel Hijackthis et clique sur « Fix checked »
Logfile of HijackThis v1.99.1
Scan saved at 01:01:58, on 23/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE
C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\MATTHI~1\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe (file missing)
jespere que c'est le dernier rapport que je t'envoie... :-D .
Dis-moi si c'est bon, et si c'est normal que mon gestionnaire des taches soit toujours bloqué?
Un grand merci a toi.
Plus rien d'infectieux dans ce rapport.
Supprime
VirtumundoBegone
VundoFix
The Avenger.
Télécharge Zeb-Restore
http://telechargement.zebulon.fr/233-zeb-restore.html
Installe le.
Lance le.
Coche
- Gestionnaire des taches
- Extensions de fichiers.
Clique sur Restaurer.
Merci beaucoup encore pour ton aide.
Je vais enfin pouvoir me coucher tranquillement.
Bonne nuit a toi et merci encore.
Il y a 1874 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.
