[RESOLU] Virus et ouverture de fenêtre de pub internet

[casper80]

Bonjour,

 

J'aurais besoin de votre aide...

 

J'ai depuis le début de semaine des fenêtres de pub qui s'ouvrent à tout bout de champ, un virus en mémoire vive nommé win32/agent.ODG (impossible à supprimer), des accès internet qui se bloque (et même l'accès au modem/routeur devient alors impossible... enfin, c'est la galère. Impossible également de lancer les scan en ligne...

 

J'ai NOD32 et, il me supprime tous les jours les mêmes cochonneries qui semblent toujours dans l'ordi.... ça y est, je pleure tellement ça devient la galère.

 

Vous trouverez mon log HijackThis ci-dessous, merci pour votre aide pour essayer d'enlever toutes les cochonneries de mon ordi.

 

Merci d'avance

 

Logfile of HijackThis v1.99.1

Scan saved at 15:01:11, on 08/05/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ASUS\Six Engine\SixEngine.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AVID\DPF MP3 FOR FLASH\KeyChainMonitor.exe

C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe

C:\DOCUME~1\Moa\LOCALS~1\Temp\dew6eez.exe

C:\DOCUME~1\Moa\LOCALS~1\Temp\dew6eez.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\totalcmd\TOTALCMD.EXE

E:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {40a51feb-5f15-424f-a5dc-5d421e2d8353} - C:\WINDOWS\system32\risowupa.dll

O4 - HKLM\..\Run: [six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [CPM2ba87f3c] Rundll32.exe "c:\windows\system32\dutudari.dll",a

O4 - HKLM\..\Run: [vahisupiki] Rundll32.exe "C:\WINDOWS\system32\gejanojo.dll",s

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [KeyChainManager] C:\Program Files\AVID\DPF MP3 FOR FLASH\KeyChainMonitor.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [] C:\DOCUME~1\Moa\LOCALS~1\Temp\dew6eez.exe

O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\DOCUME~1\Moa\LOCALS~1\Temp\dew6eez.exe

O4 - HKCU\..\Run: [A00F2944471.exe] C:\DOCUME~1\Moa\LOCALS~1\Temp\_A00F2944471.exe

O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-9560416769-6723167756-069926884-4207\service.exe

O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe

O4 - HKCU\..\Run: [A00F299DEE4.exe] C:\DOCUME~1\Moa\LOCALS~1\Temp\_A00F299DEE4.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: KeyChain Monitor.lnk = ?

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.secuser.com

O16 - DPF: {2D4E19D6-9F7E-4132-9C50-B89D9BE746A7} (IPdiva NG ActiveX) - https://vpn.ipdiva.net/mediation/org/corwin...vaNgActiveX.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://vpn.ipdiva.net/mediation/org/corwin...cated/msrdp.cab

O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1. - http://ntr.corwin.fr/inquiero/mod/setup/ntractivex118_28.cab

O20 - AppInit_DLLs: c:\windows\system32\dutudari.dll,C:\WINDOWS\system32\yetugayu.dll

O20 - Winlogon Notify: __c002F720 - C:\WINDOWS\system32\__c002F720.dat

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dutudari.dll

O23 - Service: Service de transfert intelligent en arrière-plan (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)

O23 - Service: ESET HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Modifié le 8 mai 2009 par casper80

[Falkra]

Bonjour,

 

Clique sur ce lien pour télécharger HijackThis 2.0.2 :

http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

Remplace ta version par celle là pour les prochains rapports HijackThis, la tienne est obsolète.

 

Télécharge Malwarebytes' Anti-Malware (MBAM)

 

• Double clique sur le fichier téléchargé pour lancer le processus d'installation.
  
• Dans l'onglet "Mise à jour", clique sur le bouton "Recherche de mise à jour": si le pare-feu demande l'autorisation à MBAM de se connecter, accepte.
  
• Une fois la mise à jour terminée, rends-toi dans l'onglet "Recherche".
  
• Sélectionne "Exécuter un examen rapide"
  
• Clique sur "Rechercher"
  
• L'analyse démarre.
  
• A la fin de l'analyse (mais ce n'est pas fini), un message s'affiche :

  L'examen s'est terminé normalement. Clique sur 'Afficher les résultats' pour afficher tous les objets trouvés.

  Clique sur "Ok" pour poursuivre. Si MBAM n'a rien trouvé, il te le dira aussi. N'oublie pas la suite.
  
• Ferme tes navigateurs.
  
• Si des malwares ont été détectés, clique sur Afficher les résultats.
  Sélectionne tout (ou laisse coché) et clique sur Supprimer la sélection, MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.
  
• MBAM va ouvrir le Bloc-notes et y copier le rapport d'analyse. Copie-colle ce rapport et poste-le dans ta prochaine réponse.
  

 

NB : Si MBAM te demande à redémarrer, fais-le.

[casper80]

71.... c'est le résultat de l'analyse et des suppressions !!!

 

que dois-je faire d'autres ?

 

 

Malwarebytes' Anti-Malware 1.36

Version de la base de données: 2093

Windows 5.1.2600 Service Pack 2

 

08/05/2009 15:29:41

mbam-log-2009-05-08 (15-29-41).txt

 

Type de recherche: Examen rapide

Eléments examinés: 73955

Temps écoulé: 1 minute(s), 42 second(s)

 

Processus mémoire infecté(s): 2

Module(s) mémoire infecté(s): 3

Clé(s) du Registre infectée(s): 15

Valeur(s) du Registre infectée(s): 11

Elément(s) de données du Registre infecté(s): 2

Dossier(s) infecté(s): 2

Fichier(s) infecté(s): 36

 

Processus mémoire infecté(s):

C:\Documents and Settings\Moa\Local Settings\Temp\dew6eez.exe (Trojan.Downloader) -> Unloaded process successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\dew6eez.exe (Trojan.Downloader) -> Unloaded process successfully.

 

Module(s) mémoire infecté(s):

c:\WINDOWS\system32\dutudari.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\gejanojo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\__c002F720.dat (Trojan.Vundo) -> Delete on reboot.

 

Clé(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{40a51feb-5f15-424f-a5dc-5d421e2d8353} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{40a51feb-5f15-424f-a5dc-5d421e2d8353} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c002f720 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{40a51feb-5f15-424f-a5dc-5d421e2d8353} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

 

Valeur(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2ba87f3c (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vahisupiki (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uidenhiufgsduiazghs (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg515-k641-55sf-n66p (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f2944471.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f299dee4.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Elément(s) de données du Registre infecté(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\dutudari.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Dossier(s) infecté(s):

C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

 

Fichier(s) infecté(s):

c:\WINDOWS\system32\dutudari.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\gejanojo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\risowupa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c002F720.dat (Trojan.Vundo) -> Delete on reboot.

C:\Documents and Settings\Moa\Local Settings\Temp\dew6eez.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\_A00F2944471.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\_A00F299DEE4.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\796525\796525.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jkshfuiehi.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\joredoma.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yetugayu.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zeveluhe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c009DA81.dat (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\068.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\129.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\532.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\594.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\739.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\932.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\082.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\sfjh3e87huid.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\y9m0j.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\zaopx4wp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temporary Internet Files\Content.IE5\MTETQFGN\loaderadv563[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\t55ft2692f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\instsp2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-9560416769-6723167756-069926884-4207\service.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\st_1241736412.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\st_1241736674.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\st_1241770176.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Moa\Local Settings\Temp\BNA4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lazogiya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

[casper80]

nickel, un ordi comme neuf.

 

Merci

[Falkra]

Ce n'est pas fini pour autant, mais ça doit aller beaucoup mieux.

 

Redémarre la machine, puis poste un nouveau rapport HijackThis stp, avec la version 2.0.2 dont je t'ai donné le lien plus haut, et on termine.