turhan

Salut Le pc fonctionne correctement à présent , j'ai également rapporté l'infection sur Malware-Complaints. Merci pour le soutien et les différentes procédures concoctées pour la désinfection du pc. A+

Re , Opération effectuée avec succès , plus de OT ^^ Antivir réagit par rapport à Avenger.exe et avnger.zip , dois-je les supprimer aussi?

Re , voici le rapport Kaspersky : KASPERSKY ON-LINE SCANNER REPORT Wednesday, October 03, 2007 5:53:25 AM Système d'exploitation : Microsoft Windows XP Professional, (Build 2600) Kaspersky On-line Scanner version : 5.0.83.0 Dernière mise à jour de la base antivirus Kaspersky : 3/10/2007 Enregistrements dans la base antivirus Kaspersky : 400560 Paramètres d'analyse Analyser avec la base antivirus suivante standard Analyser les archives vrai Analyser les bases de messagerie vrai Cible de l'analyse Poste de travail A:\ C:\ D:\ E:\ F:\ Statistiques de l'analyse Total d'objets analysés 35020 Nombre de virus trouvés 2 Nombre d'objets infectés 23 / 0 Nombre d'objets suspects 0 Durée de l'analyse 00:29:26 Nom de l'objet infecté Nom du virus Dernière action C:\avenger\backup.zip/avenger/nibble.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\avenger\backup.zip/avenger/nibble[1].exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\avenger\backup.zip/avenger/nview.dll Infecté : Backdoor.Win32.Agent.bxs ignoré C:\avenger\backup.zip ZIP: infecté - 3 ignoré C:\Documents and Settings\LocalService\Cookies\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\NTUSER.DAT L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\ntuser.dat.LOG L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Cookies\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Historique\History.IE5\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Historique\History.IE5\MSHist012007100320071004\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Temp\~DF5E10.tmp L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\NTUSER.DAT L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\ntuser.dat.LOG L'objet est verrouillé ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP1\A0001014.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP2\A0002115.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP4\A0002138.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP5\A0002302.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002335.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002339.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002351.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002425.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002444.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002447.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002448.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002461.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002641.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\change.log L'objet est verrouillé ignoré C:\WINDOWS\Debug\oakley.log L'objet est verrouillé ignoré C:\WINDOWS\Debug\PASSWD.LOG L'objet est verrouillé ignoré C:\WINDOWS\Internet Logs\fwdbglog.txt L'objet est verrouillé ignoré C:\WINDOWS\Internet Logs\fwpktlog.txt L'objet est verrouillé ignoré C:\WINDOWS\Internet Logs\IAMDB.RDB L'objet est verrouillé ignoré C:\WINDOWS\Internet Logs\TURHAN-OM5L9K69.ldb L'objet est verrouillé ignoré C:\WINDOWS\Internet Logs\tvDebug.log L'objet est verrouillé ignoré C:\WINDOWS\nibble.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\WINDOWS\SchedLgU.Txt L'objet est verrouillé ignoré C:\WINDOWS\SoftwareDistribution\ReportingEvents.log L'objet est verrouillé ignoré C:\WINDOWS\Sti_Trace.log L'objet est verrouillé ignoré C:\WINDOWS\system32\config\AppEvent.Evt L'objet est verrouillé ignoré C:\WINDOWS\system32\config\default L'objet est verrouillé ignoré C:\WINDOWS\system32\config\default.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SAM L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SAM.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SecEvent.Evt L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SECURITY L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SECURITY.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\config\software L'objet est verrouillé ignoré C:\WINDOWS\system32\config\software.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SysEvent.Evt L'objet est verrouillé ignoré C:\WINDOWS\system32\config\system L'objet est verrouillé ignoré C:\WINDOWS\system32\config\system.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\drivers\fidbox.dat L'objet est verrouillé ignoré C:\WINDOWS\system32\drivers\fidbox.idx L'objet est verrouillé ignoré C:\WINDOWS\system32\drivers\fidbox2.dat L'objet est verrouillé ignoré C:\WINDOWS\system32\drivers\fidbox2.idx L'objet est verrouillé ignoré C:\WINDOWS\system32\h323log.txt L'objet est verrouillé ignoré C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR L'objet est verrouillé ignoré C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA L'objet est verrouillé ignoré C:\WINDOWS\Temp\ZLT0173d.TMP L'objet est verrouillé ignoré C:\WINDOWS\Temp\ZLT01740.TMP L'objet est verrouillé ignoré C:\WINDOWS\wiadebug.log L'objet est verrouillé ignoré C:\WINDOWS\wiaservc.log L'objet est verrouillé ignoré C:\WINDOWS\WindowsUpdate.log L'objet est verrouillé ignoré C:\_OTMoveIt\MovedFiles\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\45EZSL2V\nibble[1].exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\_OTMoveIt\MovedFiles\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\45EZSL2V\nibble[1].exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré C:\_OTMoveIt\MovedFiles\WINDOWS\Help\mwrem.cin.mwt Infecté : Backdoor.Win32.Agent.bxs ignoré C:\_OTMoveIt\MovedFiles\WINDOWS\nibble.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\_OTMoveIt\MovedFiles\WINDOWS\nibble.exe.mwt Infecté : Backdoor.Win32.Agent.bxt ignoré Analyse terminée. et pendant le scan , Antivir a réagi sur le fichier C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002642.dll en le dénotant comme "Trojan Horse TR/Crypt.XDR.Gen" Merci A tt a l'heure

Rapport Regsearch : Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 03/10/2007 02:34:58 for strings: ; 'atmapi' ; 'nview.dll' ; 'access.cni' ; 'mwrem.cin' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\nView.Profile\DefaultIcon] @="C:\\WINDOWS\\System32\\nview.dll,18" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\nView.Profile\shell\open\command] @="rundll32.exe nview.dll,nViewCmd loadprofile shell \"%1\"" [HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\MediaCenterTray\nView.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\MediaCenterTray\nView.dll] "FullPath"="C:\\WINDOWS\\System32\\nview.dll" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}01\Uninstall] ; Contents of value: ; default.tvp,keystone.exe,nvappbar.exe,nvcolor.exe,nvdspsch.exe,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll ; nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll ; nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm ; nvapps.xml>nvapps.nvb ; "CopyFiles"=hex(7):64,00,65,00,66,00,61,00,75,00,6c,00,74,00,2e,00,74,00,76,00,\ 70,00,2c,00,6b,00,65,00,79,00,73,00,74,00,6f,00,6e,00,65,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,61,00,70,00,70,00,62,00,61,00,72,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,63,00,6f,00,6c,00,6f,00,72,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,64,00,73,00,70,00,73,00,63,00,68,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,69,00,65,00,77,00,2e,00,64,00,6c,00,6c,00,2c,\ 00,6e,00,76,00,73,00,68,00,65,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,2c,00,\ 6e,00,76,00,74,00,75,00,69,00,63,00,70,00,6c,00,2e,00,63,00,70,00,6c,00,2c,\ 00,6e,00,76,00,77,00,64,00,6d,00,63,00,70,00,6c,00,2e,00,64,00,6c,00,6c,00,\ 2c,00,6e,00,76,00,77,00,69,00,6d,00,67,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,\ 00,77,00,69,00,7a,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,6d,00,63,00,\ 63,00,73,00,72,00,73,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,\ 00,6c,00,2e,00,63,00,70,00,6c,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,\ 69,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,69,\ 00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,00,76,00,65,00,78,00,70,00,62,00,\ 61,00,72,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,00,6c,00,2e,\ 00,63,00,68,00,6d,00,2c,00,6e,00,76,00,64,00,73,00,70,00,2e,00,63,00,68,00,\ 6d,00,2c,00,6e,00,76,00,33,00,64,00,2e,00,63,00,68,00,6d,00,2c,00,6e,00,76,\ 00,6d,00,6f,00,62,00,2e,00,63,00,68,00,6d,00,00,00,6e,00,76,00,61,00,70,00,\ 70,00,73,00,2e,00,78,00,6d,00,6c,00,3e,00,6e,00,76,00,61,00,70,00,70,00,73,\ 00,2e,00,6e,00,76,00,62,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}01\Uninstall] ; Contents of value: ; default.tvp,keystone.exe,nvappbar.exe,nvcolor.exe,nvdspsch.exe,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll ; nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll ; nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm ; nvapps.xml>nvapps.nvb ; "CopyFiles"=hex(7):64,00,65,00,66,00,61,00,75,00,6c,00,74,00,2e,00,74,00,76,00,\ 70,00,2c,00,6b,00,65,00,79,00,73,00,74,00,6f,00,6e,00,65,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,61,00,70,00,70,00,62,00,61,00,72,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,63,00,6f,00,6c,00,6f,00,72,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,64,00,73,00,70,00,73,00,63,00,68,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,69,00,65,00,77,00,2e,00,64,00,6c,00,6c,00,2c,\ 00,6e,00,76,00,73,00,68,00,65,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,2c,00,\ 6e,00,76,00,74,00,75,00,69,00,63,00,70,00,6c,00,2e,00,63,00,70,00,6c,00,2c,\ 00,6e,00,76,00,77,00,64,00,6d,00,63,00,70,00,6c,00,2e,00,64,00,6c,00,6c,00,\ 2c,00,6e,00,76,00,77,00,69,00,6d,00,67,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,\ 00,77,00,69,00,7a,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,6d,00,63,00,\ 63,00,73,00,72,00,73,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,\ 00,6c,00,2e,00,63,00,70,00,6c,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,\ 69,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,69,\ 00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,00,76,00,65,00,78,00,70,00,62,00,\ 61,00,72,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,00,6c,00,2e,\ 00,63,00,68,00,6d,00,2c,00,6e,00,76,00,64,00,73,00,70,00,2e,00,63,00,68,00,\ 6d,00,2c,00,6e,00,76,00,33,00,64,00,2e,00,63,00,68,00,6d,00,2c,00,6e,00,76,\ 00,6d,00,6f,00,62,00,2e,00,63,00,68,00,6d,00,00,00,6e,00,76,00,61,00,70,00,\ 70,00,73,00,2e,00,78,00,6d,00,6c,00,3e,00,6e,00,76,00,61,00,70,00,70,00,73,\ 00,2e,00,6e,00,76,00,62,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}01\Uninstall] ; Contents of value: ; default.tvp,keystone.exe,nvappbar.exe,nvcolor.exe,nvdspsch.exe,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll ; nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll ; nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm ; nvapps.xml>nvapps.nvb ; "CopyFiles"=hex(7):64,00,65,00,66,00,61,00,75,00,6c,00,74,00,2e,00,74,00,76,00,\ 70,00,2c,00,6b,00,65,00,79,00,73,00,74,00,6f,00,6e,00,65,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,61,00,70,00,70,00,62,00,61,00,72,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,63,00,6f,00,6c,00,6f,00,72,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,64,00,73,00,70,00,73,00,63,00,68,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,69,00,65,00,77,00,2e,00,64,00,6c,00,6c,00,2c,\ 00,6e,00,76,00,73,00,68,00,65,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,2c,00,\ 6e,00,76,00,74,00,75,00,69,00,63,00,70,00,6c,00,2e,00,63,00,70,00,6c,00,2c,\ 00,6e,00,76,00,77,00,64,00,6d,00,63,00,70,00,6c,00,2e,00,64,00,6c,00,6c,00,\ 2c,00,6e,00,76,00,77,00,69,00,6d,00,67,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,\ 00,77,00,69,00,7a,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,6d,00,63,00,\ 63,00,73,00,72,00,73,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,\ 00,6c,00,2e,00,63,00,70,00,6c,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,\ 69,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,69,\ 00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,00,76,00,65,00,78,00,70,00,62,00,\ 61,00,72,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,00,6c,00,2e,\ 00,63,00,68,00,6d,00,2c,00,6e,00,76,00,64,00,73,00,70,00,2e,00,63,00,68,00,\ 6d,00,2c,00,6e,00,76,00,33,00,64,00,2e,00,63,00,68,00,6d,00,2c,00,6e,00,76,\ 00,6d,00,6f,00,62,00,2e,00,63,00,68,00,6d,00,00,00,6e,00,76,00,61,00,70,00,\ 70,00,73,00,2e,00,78,00,6d,00,6c,00,3e,00,6e,00,76,00,61,00,70,00,70,00,73,\ 00,2e,00,6e,00,76,00,62,00,00,00,00,00 ; End Of The Log... Le scan Kaspersky est en cours , je le posterai au réveil ^^ Après redémarrage , aucun des fichiers n'est réapparu. Merci pour tout le travail effectué jusqu'ici , A+

Re , Voici le rapport Avenger : Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\asqqfaqh ******************* Script file located at: \??\C:\Documents and Settings\icsxcvrt.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key \Registry\Machine\System\CurrentControlSet\Services\atmapi not found! Unload of driver atmapi failed! Could not process line: atmapi Status: 0xc0000034 File C:\WINDOWS\System32\drivers\atmapi.sys deleted successfully. File C:\WINDOWS\nview.dll deleted successfully. File C:\WINDOWS\nibble.exe deleted successfully. File C:\Windows\Prefetch\NIBBLE.EXE-02551F7B.pf deleted successfully. File C:\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\45EZSL2V\nibble[1].exe deleted successfully. File C:\WINDOWS\Help\mwrem.cin not found! Deletion of file C:\WINDOWS\Help\mwrem.cin failed! Could not process line: C:\WINDOWS\Help\mwrem.cin Status: 0xc0000034 File C:\WINDOWS\Help\access.cni not found! Deletion of file C:\WINDOWS\Help\access.cni failed! Could not process line: C:\WINDOWS\Help\access.cni Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\1 deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\2 deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|zwpInit_Dlls deleted successfully. Completed script processing. ******************* Finished! Terminate. et le rapport Hijackthis : StartupList report, 03/10/2007, 01:54:22 StartupList version: 1.52.2 Started from : C:\Documents and Settings\Turhan\Bureau\HiJackThis\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Turhan\Bureau\HiJackThis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Turhan\Menu Démarrer\Programmes\Démarrage] *No files* Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage] *No files* Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime avgnt = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\system32\mshta.exe "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [{5945c046-1e7d-11d1-bc44-00c04fd912be}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] * StubPath = rundll32 iesetup.dll,IEAccessUserInst -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Regedit.exe has no CompanyName property! It is either missing or named something else. - Regedit.exe has no OriginalFilename property! It is either missing or named something else. - Regedit.exe has no FileDescription property! It is either missing or named something else. Registry check failed! -------------------------------------------------- Enumerating Browser Helper Objects: *No BHO's found* -------------------------------------------------- Enumerating Task Scheduler jobs: *No jobs found* -------------------------------------------------- Enumerating Download Program Files: [CKAVWebScan Object] InProcServer32 = C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll CODEBASE = http://webscanner.kaspersky.fr/kavwebscan_unicode.cab [Checkers Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab [{33564D57-0000-0010-8000-00AA00389B71}] CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB [WUWebControl Class] InProcServer32 = C:\WINDOWS\System32\wuweb.dll CODEBASE = http://www.update.microsoft.com/windowsupd...b?1191279058281 [shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\System32\mswsock.dll NameSpace #2: C:\WINDOWS\System32\winrnr.dll NameSpace #3: C:\WINDOWS\System32\mswsock.dll Protocol #1: C:\WINDOWS\system32\mswsock.dll Protocol #2: C:\WINDOWS\system32\mswsock.dll Protocol #3: C:\WINDOWS\system32\mswsock.dll Protocol #4: C:\WINDOWS\system32\rsvpsp.dll Protocol #5: C:\WINDOWS\system32\rsvpsp.dll Protocol #6: C:\WINDOWS\system32\mswsock.dll Protocol #7: C:\WINDOWS\system32\mswsock.dll Protocol #8: C:\WINDOWS\system32\mswsock.dll Protocol #9: C:\WINDOWS\system32\mswsock.dll Protocol #10: C:\WINDOWS\system32\mswsock.dll Protocol #11: C:\WINDOWS\system32\mswsock.dll Protocol #12: C:\WINDOWS\system32\mswsock.dll Protocol #13: C:\WINDOWS\system32\mswsock.dll Protocol #14: C:\WINDOWS\system32\mswsock.dll Protocol #15: C:\WINDOWS\system32\mswsock.dll Protocol #16: C:\WINDOWS\system32\mswsock.dll Protocol #17: C:\WINDOWS\system32\mswsock.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services Pilote ACPI Microsoft: System32\DRIVERS\ACPI.sys (system) Suppresseur d'écho acoustique (Noyau Microsoft): system32\drivers\aec.sys (manual start) Environnement de prise en charge de réseau AFD: \SystemRoot\System32\drivers\afd.sys (autostart) Avertissement: %SystemRoot%\System32\svchost.exe -k LocalService (disabled) Service de la passerelle de la couche Application: %SystemRoot%\System32\alg.exe (manual start) AntiVir PersonalEdition Classic Scheduler: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe" (autostart) AntiVir PersonalEdition Classic Guard: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe" (autostart) Gestion d'applications: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) Protocole client ARP 1394: System32\DRIVERS\arp1394.sys (manual start) Pilote de média asynchrone RAS: System32\DRIVERS\asyncmac.sys (manual start) Contrôleur de disque dur IDE/ESDI standard: System32\DRIVERS\atapi.sys (system) atitray: \??\C:\Program Files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys (system) Protocole client ATM ARP: System32\DRIVERS\atmarpc.sys (manual start) Audio Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Pilote audio Stub: System32\DRIVERS\audstub.sys (manual start) avgntdd: SYSTEM32\DRIVERS\avgntdd.sys (system) avgntmgr: SYSTEM32\DRIVERS\avgntmgr.sys (system) avipbb: System32\DRIVERS\avipbb.sys (system) Service de transfert intelligent en arrière-plan: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Explorateur d'ordinateur: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Symantec Settings Manager: "C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe" (disabled) Pilote de CD-ROM: System32\DRIVERS\cdrom.sys (system) Service d'indexation: C:\WINDOWS\System32\cisvc.exe (manual start) Gestionnaire de l'Album: %SystemRoot%\system32\clipsrv.exe (manual start) Application système COM+: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start) Services de cryptographie: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Client DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Pilote de disque: System32\DRIVERS\disk.sys (system) Service d'administration du Gestionnaire de disque logique: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) Pilote de Gestionnaire de disque logique: System32\drivers\dmio.sys (system) dmload: System32\drivers\dmload.sys (system) Gestionnaire de disque logique: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Synthétiseur DLS du noyau Microsoft: system32\drivers\DMusic.sys (manual start) Client DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (disabled) Filtre de décodeur DRM (Noyau Microsoft): system32\drivers\drmkaud.sys (manual start) Service de rapport d'erreurs: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Journal des événements: %SystemRoot%\system32\services.exe (autostart) Système d'événements de COM+: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start) Compatibilité avec le Changement rapide d'utilisateur: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Pilote de contrôleur de lecteur de disquettes: System32\DRIVERS\fdc.sys (manual start) Pilote de lecteur de disquettes: System32\DRIVERS\flpydisk.sys (manual start) Pilote du Gestionnaire de volume: System32\DRIVERS\ftdisk.sys (system) Énumérateur de port jeu: System32\DRIVERS\gameenum.sys (manual start) Classificateur de paquets générique: System32\DRIVERS\msgpc.sys (manual start) Aide et support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Pilote de classe HID Microsoft: System32\DRIVERS\hidusb.sys (manual start) Pilote pour clavier i8042 et souris sur port PS/2: System32\DRIVERS\i8042prt.sys (system) Service COM de gravage de CD IMAPI: C:\WINDOWS\System32\imapi.exe (manual start) Pilote de filtre de trafic IP: System32\DRIVERS\ipfltdrv.sys (manual start) Pilote de tunnelage IP dans IP: System32\DRIVERS\ipinip.sys (manual start) Traducteur d'adresses réseau IP: System32\DRIVERS\ipnat.sys (manual start) Pilote IPSEC: System32\DRIVERS\ipsec.sys (system) Service énumérateur IR: System32\DRIVERS\irenum.sys (manual start) Pilote de bus Plug-and-Play ISA/EISA: System32\DRIVERS\isapnp.sys (system) Pilote de la classe Clavier: System32\DRIVERS\kbdclass.sys (system) Pilote HID de clavier: System32\DRIVERS\kbdhid.sys (system) KLIF: \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS (manual start) Mélangeur audio Wave de noyau Microsoft: system32\drivers\kmixer.sys (manual start) Serveur: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Station de travail: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Assistance TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Affichage des messages: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Partage de Bureau à distance NetMeeting: C:\WINDOWS\System32\mnmsrvc.exe (disabled) Pilote de la classe Souris: System32\DRIVERS\mouclass.sys (system) Pilote HID de souris: System32\DRIVERS\mouhid.sys (manual start) Redirecteur client WebDav: System32\DRIVERS\mrxdav.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start) Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start) Proxy de service de répartition Microsoft: system32\drivers\MSKSSRV.sys (manual start) Proxy d'horloge de répartition Microsoft: system32\drivers\MSPCLOCK.sys (manual start) Proxy de gestion de qualité de répartition Microsoft: system32\drivers\MSPQM.sys (manual start) Pilote UART MIDI MPU-401 Microsoft: system32\drivers\msmpu401.sys (manual start) NAVENG: \??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20070730.016\naveng.sys (manual start) NAVEX15: \??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20070730.016\navex15.sys (manual start) Pilote TAPI NDIS d'accès distant: System32\DRIVERS\ndistapi.sys (manual start) NDIS mode utilisateur E/S Protocole: System32\DRIVERS\ndisuio.sys (manual start) Pilote réseau étendu NDIS d'accès distant: System32\DRIVERS\ndiswan.sys (manual start) Interface NetBIOS: System32\DRIVERS\netbios.sys (system) NetBIOS sur TCP/IP: System32\DRIVERS\netbt.sys (system) DDE réseau: %SystemRoot%\system32\netdde.exe (manual start) DSDM DDE réseau: %SystemRoot%\system32\netdde.exe (manual start) Ouverture de session réseau: %SystemRoot%\System32\lsass.exe (manual start) Connexions réseau: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Pilote réseau 1394: System32\DRIVERS\nic1394.sys (manual start) NLA (Network Location Awareness): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Fournisseur de la prise en charge de sécurité LM NT: %SystemRoot%\System32\lsass.exe (manual start) Stockage amovible: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) nTune Service: C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService (autostart) nv: System32\DRIVERS\nv4_mini.sys (manual start) Service for NVIDIA® nForce Audio Enumerator: system32\drivers\nvax.sys (manual start) Service for NVIDIA® nForce Audio: system32\drivers\nvapu.sys (manual start) NVR0Dev: \??\C:\WINDOWS\nvoclock.sys (manual start) NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart) Pilote de filtre de trafic IPX: System32\DRIVERS\nwlnkflt.sys (manual start) Pilote de transfert de trafic IPX: System32\DRIVERS\nwlnkfwd.sys (manual start) Contrôleurs hôte IEEE 1394 compatible OHCI: System32\DRIVERS\ohci1394.sys (system) Pilote de port parallèle: System32\DRIVERS\parport.sys (manual start) Pilote de bus PCI: System32\DRIVERS\pci.sys (system) PCIIde: System32\DRIVERS\pciide.sys (system) Plug-and-Play: %SystemRoot%\system32\services.exe (autostart) Services IPSEC: %SystemRoot%\System32\lsass.exe (autostart) Miniport réseau étendu (PPTP): System32\DRIVERS\raspptp.sys (manual start) Pilote processeur: System32\DRIVERS\processr.sys (system) Emplacement protégé: %SystemRoot%\system32\lsass.exe (autostart) Planificateur de paquets QoS: System32\DRIVERS\psched.sys (manual start) Pilote de liaison parallèle directe: System32\DRIVERS\ptilink.sys (manual start) PxHelp20: System32\Drivers\PxHelp20.sys (system) Pilote de connexion automatique d'accès distant: System32\DRIVERS\rasacd.sys (system) Gestionnaire de connexion automatique d'accès distant: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Miniport réseau étendu (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Gestionnaire de connexions d'accès distant: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Pilote PPPOE d'accès à distance: System32\DRIVERS\raspppoe.sys (manual start) Parallèle direct: System32\DRIVERS\raspti.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) RDPCDD: System32\DRIVERS\RDPCDD.sys (system) Pilote de redirecteur de périphérique Terminal Server: System32\DRIVERS\rdpdr.sys (manual start) Gestionnaire de session d'aide sur le Bureau à distance: C:\WINDOWS\system32\sessmgr.exe (manual start) Pilote de filtre de lecture digitale de CD audio: System32\DRIVERS\redbook.sys (system) Routage et accès distant: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Accès à distance au Registre: %SystemRoot%\system32\svchost.exe -k LocalService (disabled) Localisateur d'appels de procédure distante (RPC): %SystemRoot%\System32\locator.exe (manual start) Appel de procédure distante (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start) Pilote NT de carte Realtek PCI Ethernet à base RTL8029(AS): System32\DRIVERS\RTL8029.SYS (manual start) Gestionnaire de comptes de sécurité: %SystemRoot%\system32\lsass.exe (autostart) SAVRT: \??\C:\Program Files\Symantec AntiVirus\savrt.sys (manual start) SAVRTPEL: \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys (autostart) Prise en charge des cartes à puces: %SystemRoot%\System32\SCardSvr.exe (manual start) Carte à puce: %SystemRoot%\System32\SCardSvr.exe (manual start) Planificateur de tâches: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (manual start) Connexion secondaire: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Notification d'événement système: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Pilote de filtre Serenum: System32\DRIVERS\serenum.sys (manual start) Pilote de port série: System32\DRIVERS\serial.sys (system) Pare-feu de connexion Internet (ICF) / Partage de connexion Internet (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Détection matériel noyau: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Symantec Network Drivers Service: "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" (disabled) Splitter audio du noyau Microsoft: system32\drivers\splitter.sys (manual start) Spouleur d'impression: %SystemRoot%\system32\spoolsv.exe (autostart) Pilote de filtre de restauration système: System32\DRIVERS\sr.sys (system) srescan: System32\ZoneLabs\srescan.sys (system) Service de restauration système: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Srv: System32\DRIVERS\srv.sys (manual start) Service de découvertes SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) ssmdrv: System32\DRIVERS\ssmdrv.sys (system) Acquisition d'image Windows (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start) Pilote de bus logiciel: System32\DRIVERS\swenum.sys (manual start) Synthétiseur de table de sons GC noyau Microsoft: system32\drivers\swmidi.sys (manual start) MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D29AE635-E4B5-4B20-AAC0-A3A0CC052390} (manual start) SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start) SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system) Périphérique audio système du noyau Microsoft: system32\drivers\sysaudio.sys (manual start) Journaux et alertes de performance: %SystemRoot%\system32\smlogsvc.exe (manual start) Téléphonie: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Pilote du protocole TCP/IP: System32\DRIVERS\tcpip.sys (system) Pilote de périphérique terminal: System32\DRIVERS\termdd.sys (system) Services Terminal Server: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Thèmes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled) Client de suivi de lien distribué: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) TVICHW32: \??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS (manual start) Pilote de mise à jour microcode: System32\DRIVERS\update.sys (manual start) Gestionnaire de téléchargement: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Hôte de périphérique universel Plug-and-Play: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Onduleur: %SystemRoot%\System32\ups.exe (manual start) Pilote parent générique USB Microsoft: System32\DRIVERS\usbccgp.sys (manual start) Concentrateur USB2: System32\DRIVERS\usbhub.sys (manual start) Pilote miniport de contrôleur hôte ouvert USB Microsoft: System32\DRIVERS\usbohci.sys (manual start) Classe d'imprimantes USB Microsoft: System32\DRIVERS\usbprint.sys (manual start) Pilote de scanneur USB: System32\DRIVERS\usbscan.sys (manual start) Pilote de stockage de masse USB: System32\DRIVERS\USBSTOR.SYS (manual start) VgaSave: \SystemRoot\System32\drivers\vga.sys (system) vsdatant: System32\vsdatant.sys (system) TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart) Cliché instantané de volume: %SystemRoot%\System32\vssvc.exe (manual start) Horloge Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Pilote ARP IP d'accès distant: System32\DRIVERS\wanarp.sys (manual start) Pilote WINMM de compatibilité audio WDM Microsoft: system32\drivers\wdmaud.sys (manual start) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (disabled) Infrastructure de gestion Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Numéro de série du média portable: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Extensions du pilote WMI: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Carte de performance WMI: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start) Mises à jour automatiques: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Configuration automatique sans fil: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter: System32\DRIVERS\yukonwxp.sys (manual start) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = *Registry value not found* Windows NT 'Wininit.ini': PendingFileRenameOperations: *Registry value not found* -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- End of report, 32 165 bytes Report generated in 0,094 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Merci encore

Manipulation effectuée : Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 03/10/2007 01:01:24 for strings: ; 'nview.dll' ; 'nibble.exe' ; 'atmapi.sys' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\nView.Profile\DefaultIcon] @="C:\\WINDOWS\\System32\\nview.dll,18" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\nView.Profile\shell\open\command] @="rundll32.exe nview.dll,nViewCmd loadprofile shell \"%1\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "zwpInit_Dlls"="C:\\WINDOWS\\nview.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\MediaCenterTray\nView.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\MediaCenterTray\nView.dll] "FullPath"="C:\\WINDOWS\\System32\\nview.dll" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}01\Uninstall] ; Contents of value: ; default.tvp,keystone.exe,nvappbar.exe,nvcolor.exe,nvdspsch.exe,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll ; nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll ; nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm ; nvapps.xml>nvapps.nvb ; "CopyFiles"=hex(7):64,00,65,00,66,00,61,00,75,00,6c,00,74,00,2e,00,74,00,76,00,\ 70,00,2c,00,6b,00,65,00,79,00,73,00,74,00,6f,00,6e,00,65,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,61,00,70,00,70,00,62,00,61,00,72,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,63,00,6f,00,6c,00,6f,00,72,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,64,00,73,00,70,00,73,00,63,00,68,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,69,00,65,00,77,00,2e,00,64,00,6c,00,6c,00,2c,\ 00,6e,00,76,00,73,00,68,00,65,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,2c,00,\ 6e,00,76,00,74,00,75,00,69,00,63,00,70,00,6c,00,2e,00,63,00,70,00,6c,00,2c,\ 00,6e,00,76,00,77,00,64,00,6d,00,63,00,70,00,6c,00,2e,00,64,00,6c,00,6c,00,\ 2c,00,6e,00,76,00,77,00,69,00,6d,00,67,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,\ 00,77,00,69,00,7a,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,6d,00,63,00,\ 63,00,73,00,72,00,73,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,\ 00,6c,00,2e,00,63,00,70,00,6c,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,\ 69,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,69,\ 00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,00,76,00,65,00,78,00,70,00,62,00,\ 61,00,72,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,00,6c,00,2e,\ 00,63,00,68,00,6d,00,2c,00,6e,00,76,00,64,00,73,00,70,00,2e,00,63,00,68,00,\ 6d,00,2c,00,6e,00,76,00,33,00,64,00,2e,00,63,00,68,00,6d,00,2c,00,6e,00,76,\ 00,6d,00,6f,00,62,00,2e,00,63,00,68,00,6d,00,00,00,6e,00,76,00,61,00,70,00,\ 70,00,73,00,2e,00,78,00,6d,00,6c,00,3e,00,6e,00,76,00,61,00,70,00,70,00,73,\ 00,2e,00,6e,00,76,00,62,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}01\Uninstall] ; Contents of value: ; default.tvp,keystone.exe,nvappbar.exe,nvcolor.exe,nvdspsch.exe,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll ; nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll ; nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm ; nvapps.xml>nvapps.nvb ; "CopyFiles"=hex(7):64,00,65,00,66,00,61,00,75,00,6c,00,74,00,2e,00,74,00,76,00,\ 70,00,2c,00,6b,00,65,00,79,00,73,00,74,00,6f,00,6e,00,65,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,61,00,70,00,70,00,62,00,61,00,72,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,63,00,6f,00,6c,00,6f,00,72,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,64,00,73,00,70,00,73,00,63,00,68,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,69,00,65,00,77,00,2e,00,64,00,6c,00,6c,00,2c,\ 00,6e,00,76,00,73,00,68,00,65,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,2c,00,\ 6e,00,76,00,74,00,75,00,69,00,63,00,70,00,6c,00,2e,00,63,00,70,00,6c,00,2c,\ 00,6e,00,76,00,77,00,64,00,6d,00,63,00,70,00,6c,00,2e,00,64,00,6c,00,6c,00,\ 2c,00,6e,00,76,00,77,00,69,00,6d,00,67,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,\ 00,77,00,69,00,7a,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,6d,00,63,00,\ 63,00,73,00,72,00,73,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,\ 00,6c,00,2e,00,63,00,70,00,6c,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,\ 69,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,69,\ 00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,00,76,00,65,00,78,00,70,00,62,00,\ 61,00,72,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,00,6c,00,2e,\ 00,63,00,68,00,6d,00,2c,00,6e,00,76,00,64,00,73,00,70,00,2e,00,63,00,68,00,\ 6d,00,2c,00,6e,00,76,00,33,00,64,00,2e,00,63,00,68,00,6d,00,2c,00,6e,00,76,\ 00,6d,00,6f,00,62,00,2e,00,63,00,68,00,6d,00,00,00,6e,00,76,00,61,00,70,00,\ 70,00,73,00,2e,00,78,00,6d,00,6c,00,3e,00,6e,00,76,00,61,00,70,00,70,00,73,\ 00,2e,00,6e,00,76,00,62,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}01\Uninstall] ; Contents of value: ; default.tvp,keystone.exe,nvappbar.exe,nvcolor.exe,nvdspsch.exe,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll ; nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll ; nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm ; nvapps.xml>nvapps.nvb ; "CopyFiles"=hex(7):64,00,65,00,66,00,61,00,75,00,6c,00,74,00,2e,00,74,00,76,00,\ 70,00,2c,00,6b,00,65,00,79,00,73,00,74,00,6f,00,6e,00,65,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,61,00,70,00,70,00,62,00,61,00,72,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,63,00,6f,00,6c,00,6f,00,72,00,2e,00,65,00,78,\ 00,65,00,2c,00,6e,00,76,00,64,00,73,00,70,00,73,00,63,00,68,00,2e,00,65,00,\ 78,00,65,00,2c,00,6e,00,76,00,69,00,65,00,77,00,2e,00,64,00,6c,00,6c,00,2c,\ 00,6e,00,76,00,73,00,68,00,65,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,2c,00,\ 6e,00,76,00,74,00,75,00,69,00,63,00,70,00,6c,00,2e,00,63,00,70,00,6c,00,2c,\ 00,6e,00,76,00,77,00,64,00,6d,00,63,00,70,00,6c,00,2e,00,64,00,6c,00,6c,00,\ 2c,00,6e,00,76,00,77,00,69,00,6d,00,67,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,\ 00,77,00,69,00,7a,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,6d,00,63,00,\ 63,00,73,00,72,00,73,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,\ 00,6c,00,2e,00,63,00,70,00,6c,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,\ 69,00,2e,00,65,00,78,00,65,00,2c,00,6e,00,76,00,63,00,70,00,6c,00,75,00,69,\ 00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,6e,00,76,00,65,00,78,00,70,00,62,00,\ 61,00,72,00,2e,00,64,00,6c,00,6c,00,00,00,6e,00,76,00,63,00,70,00,6c,00,2e,\ 00,63,00,68,00,6d,00,2c,00,6e,00,76,00,64,00,73,00,70,00,2e,00,63,00,68,00,\ 6d,00,2c,00,6e,00,76,00,33,00,64,00,2e,00,63,00,68,00,6d,00,2c,00,6e,00,76,\ 00,6d,00,6f,00,62,00,2e,00,63,00,68,00,6d,00,00,00,6e,00,76,00,61,00,70,00,\ 70,00,73,00,2e,00,78,00,6d,00,6c,00,3e,00,6e,00,76,00,61,00,70,00,70,00,73,\ 00,2e,00,6e,00,76,00,62,00,00,00,00,00 ; End Of The Log... a+

Re , voici le rapport Regsearch : Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 03/10/2007 00:40:25 for strings: ; 'access.cni' ; 'mwrem.cin' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\1] "Path"="C:\\WINDOWS\\help\\access.cni" [HKEY_LOCAL_MACHINE\SOFTWARE\2] "Path"="C:\\WINDOWS\\help\\mwrem.cin" ; End Of The Log... Il y a un fichier qui me rappelle quelque chose : Adaware et Antivir ont dénoté le fichier suivant comme Heur/Malware : C:\Windows\Help\access.cni cet après midi , il a été mis en quarantaine. Je reste à disposition , Merci encore ^^

Re , Ils ont bien été bougé par OT : C:\WINDOWS\nibble.exe moved successfully. C:\Windows\Prefetch\NIBBLE.EXE-02551F7B.pf moved successfully. C:\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\45EZSL2V\nibble[1].exe moved successfully. Created on 10/02/2007 16:13:14 Après la manipulation , redémarrage du pc , et ils sont de retour , à leur emplacement respectif. a+

Juste après avoir posté le message , j'ai redémarré le PC pour voir s'il reviendrait au démarrage. C'est effectivement le cas. Après une recherche sur le PC , on a : - nibble.exe dans C:\Windows - nibble.exe.mwt dans C:\Windows - NIBBLE.EXE-02551F7B.pf dans C:\Windows\Prefetch - nibble.exe.mwt dans C:\_OTMOVEIT\MOVEDFILES\Windows - nibble[1].exe.mwt dans C:\_OTMoveIt\MovedFiles\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\45EZSL2V Voici les résultats du scan : 2007-10-02,15:38:05 System Repair Engineer 2.5.16.900 Smallfrogs (http://www.KZTechs.com) Windows XP Professional (Build 2600) - Administrative User - Completed Functions Allowed Follow item(s) have been choosed: All Boot Items (Including Registry, Startup Folders, Services and so on) Browser Add-ons Runing Processes (Including process model information) File Associations Winsock Provider Autorun.Inf HOSTS File Process Privileges Scan Boot Items Registry [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] <load><> [N/A] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime> [Apple Computer, Inc.] <avgnt><"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min> [Avira GmbH] <Zone Labs Client><"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"> [(Verified)Check Point Software Technologies Ltd.] <ZoneAlarm Client><"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"> [(Verified)Check Point Software Technologies Ltd.] <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup> [NVIDIA Corporation] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] <shell><c:\windows\explorer.exe> [(Verified)Microsoft Windows XP Publisher (Europe)] <Userinit><c:\windows\system32\userinit.exe> [(Verified)Microsoft Windows XP Publisher (Europe)] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] <AppInit_DLLs><> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] <Lecteur Windows Media Microsoft 6.4><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT> [(Verified)Microsoft Windows XP Publisher (Europe)] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows XP Publisher (Europe)] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}] <Windows Messenger 4.0><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser> [(Verified)Microsoft Windows XP Publisher (Europe)] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}] <Microsoft Windows Media Player 8><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub> [(Verified)Microsoft Windows XP Publisher (Europe)] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}] <Carnet d'adresses 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A] ================================== Startup Folders N/A ================================== Services [AntiVir PersonalEdition Classic Scheduler / AntiVirScheduler][Running/Auto Start] <"C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"><Avira GmbH> [AntiVir PersonalEdition Classic Guard / AntiVirService][Running/Auto Start] <"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"><Avira GmbH> [Symantec Settings Manager / ccSetMgr][Stopped/Disabled] <"C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"><Symantec Corporation> [Symantec AntiVirus Definition Watcher / DefWatch][Stopped/Disabled] <><N/A> [nTune Service / nTuneService][Running/Auto Start] <C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService><NVIDIA> [NVIDIA Display Driver Service / NVSvc][Running/Auto Start] <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation> [SavRoam / SavRoam][Stopped/Disabled] <><N/A> [Symantec Network Drivers Service / SNDSrvc][Stopped/Disabled] <"C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe"><Symantec Corporation> [Symantec AntiVirus / Symantec AntiVirus][Stopped/Disabled] <><N/A> [Service Messenger Sharing Folders USN Journal Reader / usnjsvc][Stopped/Manual Start] <><N/A> [TrueVector Internet Monitor / vsmon][Running/Auto Start] <C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service><Zone Labs, LLC> ================================== Drivers [atitray / atitray][Stopped/System Start] <\??\C:\Program Files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys><N/A> [avgntdd / avgntdd][Running/System Start] <SYSTEM32\DRIVERS\avgntdd.sys><Avira GmbH> [avgntmgr / avgntmgr][Running/Boot Start] <\SystemRoot\SYSTEM32\DRIVERS\avgntmgr.sys><Avira GmbH> [avipbb / avipbb][Running/System Start] <System32\DRIVERS\avipbb.sys><AVIRA GmbH> [KLIF / KLIF][Stopped/Manual Start] <\??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS><Kaspersky Lab> [NAVENG / NAVENG][Stopped/Manual Start] <\??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20070730.016\naveng.sys><Symantec Corporation> [NAVEX15 / NAVEX15][Stopped/Manual Start] <\??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20070730.016\navex15.sys><Symantec Corporation> [nv / nv][Running/Manual Start] <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation> [Service for NVIDIA(R) nForce(TM) Audio Enumerator / nvax][Running/Manual Start] <system32\drivers\nvax.sys><NVIDIA Corporation> [Service for NVIDIA(R) nForce(TM) Audio / nvnforce][Running/Manual Start] <system32\drivers\nvapu.sys><NVIDIA Corporation> [NVR0Dev / NVR0Dev][Running/Manual Start] <\??\C:\WINDOWS\nvoclock.sys><NVidia Corp.> [Pilote de liaison parallèle directe / Ptilink][Running/Manual Start] <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.> [PxHelp20 / PxHelp20][Running/Boot Start] <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions> [Pilote NT de carte Realtek PCI Ethernet à base RTL8029(AS) / rtl8029][Stopped/Manual Start] <System32\DRIVERS\RTL8029.SYS><Realtek Semiconductor Corporation> [SAVRT / SAVRT][Stopped/Manual Start] <\??\C:\Program Files\Symantec AntiVirus\savrt.sys><N/A> [SAVRTPEL / SAVRTPEL][Stopped/Auto Start] <\??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys><N/A> [Secdrv / Secdrv][Stopped/Manual Start] <System32\DRIVERS\secdrv.sys><N/A> [srescan / srescan][Running/Boot Start] <\SystemRoot\System32\ZoneLabs\srescan.sys><Zone Labs, LLC> [ssmdrv / ssmdrv][Running/System Start] <System32\DRIVERS\ssmdrv.sys><Avira GmbH> [SYMREDRV / SYMREDRV][Stopped/Manual Start] <\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation> [SYMTDI / SYMTDI][Running/System Start] <\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation> [TVICHW32 / TVICHW32][Stopped/Manual Start] <\??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS><EnTech Taiwan> [vsdatant / vsdatant][Running/System Start] <System32\vsdatant.sys><Zone Labs, LLC> [NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter / yukonwxp][Running/Manual Start] <System32\DRIVERS\yukonwxp.sys><Marvell Semiconductor Inc.> ================================== Browser Add-ons [CKAVWebScan Object] {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab> [Checkers Class] {20A60F0D-9AFA-4515-A0FD-83BD84642501} <C:\WINDOWS\Downloaded Program Files\msgrchkr.dll, Microsoft Corporation> [WUWebControl Class] {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\System32\wuweb.dll, Microsoft Corporation> [Shockwave Flash Object] {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.> ================================== Running Processes [PID: 580 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 636 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 660 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.149 (xpclnt_qfe.021108-2107)] [C:\WINDOWS\nview.dll] [N/A, ] [C:\WINDOWS\system32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)] [C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 716 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 728 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 912 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 1012 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [C:\WINDOWS\System32\WINHTTP.dll] [Microsoft Corporation, 5.1.2600.1557 (xpsp2_gdr.040517-1325)] [PID: 1100 / SERVICE LOCAL][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 1916 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)] [C:\WINDOWS\system32\E_FLBBIE.DLL] [SEIKO EPSON CORPORATION, 1, 5, 0, 0] [PID: 1956 / SYSTEM][C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe] [Avira GmbH, 7.00.00.81] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.dll] [Avira GmbH, 7.00.00.01] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\avevtlog.dll] [Avira GmbH, 7.00.00.20] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\guardmsg.dll] [Avira GmbH, 7.00.11.00] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\sqlite3.dll] [, 3, 3, 17, 1] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\AVPREF.DLL] [Avira GmbH, 7.00.02.02] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\SMTPLIB.DLL] [Avira GmbH, 1.02.00.17] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\AVPACK32.DLL] [Avira GmbH, 7.03.00.15] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\unacev2.dll] [N/A, ] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\AVEWIN32.DLL] [Avira GmbH, 7.6.0.18] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\avipc.dll] [Avira GmbH, 1.00.00.04] [PID: 204 / SERVICE LOCAL][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 196 / SYSTEM][C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe] [Avira GmbH, 7.00.00.62] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\schedr.dll] [Avira GmbH, 7.00.24.00] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\avevtlog.dll] [Avira GmbH, 7.00.00.20] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\sqlite3.dll] [, 3, 3, 17, 1] [PID: 256 / SYSTEM][C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe] [NVIDIA, 5.05.25] [C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0] [C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4] [C:\Program Files\NVIDIA Corporation\nTune\nTuneServiceENU.dll] [NVIDIA, 5.05.25] [C:\WINDOWS\system32\nvapi.dll] [N/A, ] [PID: 272 / SYSTEM][C:\WINDOWS\System32\nvsvc32.exe] [NVIDIA Corporation, 6.14.10.9424] [C:\WINDOWS\System32\nvapi.dll] [N/A, ] [PID: 624 / Turhan][c:\windows\explorer.exe] [Microsoft Corporation, 6.00.2600.0000 (xpclient.010817-1148)] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll] [, 4, 9, 1, 8211] [C:\Program Files\Combined Community Codec Pack\Filters\Haali\mmfinfo.dll] [N/A, ] [C:\Program Files\Combined Community Codec Pack\Filters\Haali\mkunicode.dll] [N/A, ] [C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 8.0.0.0] [C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA] [Adobe Systems, Inc., 8.0.0.0] [C:\Program Files\Microsoft Office\Office\soa800.dll] [Microsoft Corporation, 8.000.3501] [C:\Program Files\WinRAR\rarext.dll] [N/A, ] [C:\Program Files\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll] [SEIKO EPSON CORPORATION, 1, 0, 0, 0] [C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll] [Zone Labs, LLC, 7.0.337.000] [C:\Program Files\Zone Labs\ZoneAlarm\zlavscan_Loc040c.dll] [Zone Labs Inc., 5.3.017.000] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll] [Avira GmbH, 7.00.00.10] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\MFC71U.DLL] [Microsoft Corporation, 7.10.3077.0] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4] [C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll] [Symantec Corporation, 9.0.0.338] [PID: 1236 / Turhan][C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe] [Avira GmbH, 7.02.00.13] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\MFC71U.DLL] [Microsoft Corporation, 7.10.3077.0] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\cclib.dll] [Avira GmbH, 7.02.00.03] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0] [c:\program files\avira\antivir personaledition classic\ccgen.dll] [Avira GmbH, 7.02.00.10] [c:\program files\avira\antivir personaledition classic\ccgenrc.dll] [Avira GmbH, 7.02.04.02] [c:\program files\avira\antivir personaledition classic\ccguard.dll] [Avira GmbH, 7.00.01.34] [c:\program files\avira\antivir personaledition classic\ccgrdrc.dll] [Avira GmbH, 7.00.06.00] [C:\Program Files\Avira\AntiVir PersonalEdition Classic\avipc.dll] [Avira GmbH, 1.00.00.04] [c:\program files\avira\antivir personaledition classic\ccupdate.dll] [Avira GmbH, 7.02.00.04] [c:\program files\avira\antivir personaledition classic\ccupdrc.dll] [Avira GmbH, 7.02.01.00] [c:\program files\avira\antivir personaledition classic\cclic.dll] [Avira GmbH, 7.02.00.04] [c:\program files\avira\antivir personaledition classic\cclicrc.dll] [Avira GmbH, 7.02.01.00] [c:\program files\avira\antivir personaledition classic\ccmsg.dll] [Avira GmbH, 7.00.00.00] [PID: 1284 / Turhan][C:\Program Files\MSN Messenger\msnmsgr.exe] [Microsoft Corporation, 8.1.0178.00] [C:\Program Files\MSN Messenger\MSNCore.dll] [Microsoft Corporation, 8.1.0178.00] [C:\Program Files\MSN Messenger\msidcrl40.dll] [Microsoft Corporation, 4.100.313.1] [C:\Program Files\MSN Messenger\ContactsUX.dll] [Microsoft Corporation, 8.1.0178.00] [C:\Program Files\MSN Messenger\msgslang.8.1.0178.00.dll] [Microsoft Corporation, 8.1.0178.00] [C:\Program Files\MSN Messenger\msgsres.dll] [Microsoft Corporation, 8.1.0178.00] [C:\Program Files\MSN Messenger\lcapi.dll] [Microsoft Corporation, 1.7.256.0 (RTC Version 4.3.5371.0) built by: msn8.0(rtbldlab)] [C:\WINDOWS\System32\msdmo.dll] [, ] [C:\Program Files\MSN Messenger\lcres.dll] [Microsoft Corp., 1.7.109.0 (RTC Version 4.3.5371.0) built by: msn8.0(rtbldlab)] [C:\Program Files\MSN Messenger\RTMPLTFM.dll] [Microsoft Corporation, 3.0.5774.0 built by: media_msn80] [C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)] [C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll] [, 4, 9, 1, 8211] [C:\Program Files\MSN Messenger\MSGSWCAM.dll] [Microsoft Corporation, 8.1.0178.00] [C:\WINDOWS\System32\sirenacm.dll] [Microsoft Corp., 8.1.0178.00] [C:\Program Files\MSN Messenger\lmcdata.dll] [Microsoft Corporation, 8.1.0178.00] [C:\Program Files\MSN Messenger\dfsr.dll] [Microsoft Corporation, 8.1.0178.00] [C:\Program Files\MSN Messenger\abssm.dll] [Microsoft Corporation, 8.1.0178.00] [C:\Program Files\MSN Messenger\custsat.dll] [Microsoft Corporation, 9.0.3790.2428 (srv03_sp1_qfe.050422-1043)] [C:\Program Files\MSN Messenger\contact.dll] [Microsoft Corporation, 8.1.0178.00] [PID: 2052 / Turhan][C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe] [ , 4, 9, 1, 8211] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\crsrpt.dll] [, 4, 9, 1, 8211] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\DBGHELP.dll] [Microsoft Corporation, 6.3.0005.1 (DbgBuild.030922-1449)] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\MSVCP70.dll] [Microsoft Corporation, 7.00.9466.0] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\MSVCR70.dll] [Microsoft Corporation, 7.00.9466.0] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mtdsdk.dll] [N/A, ] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\resources\mbzafra.dll] [N/A, ] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll] [, 4, 9, 1, 8211] [PID: 2252 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 564 / Turhan][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2600.0000 (xpclient.010817-1148)] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll] [, 4, 9, 1, 8211] [C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)] [C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0] [PID: 1460 / Turhan][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2600.0000 (xpclient.010817-1148)] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll] [, 4, 9, 1, 8211] [C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)] [C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0] [PID: 2148 / Turhan][C:\Program Files\Microsoft Office\Office\excel.exe] [, ] [C:\Program Files\Microsoft Office\Office\MSO97.DLL] [, ] [C:\Program Files\Microsoft Office\Office\XLINTL32.dll] [Microsoft Corporation, 8.0] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll] [, 4, 9, 1, 8211] [C:\Program Files\Microsoft Office\Office\scanload.dll] [, ] [C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)] [C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)] [PID: 2512 / SYSTEM][C:\WINDOWS\System32\msiexec.exe] [Microsoft Corporation, 3.1.4000.1823] [PID: 2532 / Turhan][C:\Documents and Settings\Turhan\Bureau\sreng2\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900] [C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll] [, 4, 9, 1, 8211] [C:\Documents and Settings\Turhan\Bureau\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15] ================================== File Associations .TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1] .EXE OK. ["%1" %*] .COM OK. ["%1" %*] .PIF OK. ["%1" %*] .REG OK. [regedit.exe "%1"] .BAT OK. ["%1" %*] .SCR OK. ["%1" /S] .CHM OK. ["C:\WINDOWS\hh.exe" %1] .HLP OK. [%SystemRoot%\System32\winhlp32.exe %1] .INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1] .INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1] .VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*] .JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*] .LNK OK. [{00021401-0000-0000-C000-000000000046}] ================================== Winsock Provider N/A ================================== Autorun.Inf N/A ================================== HOSTS File 127.0.0.1 localhost ================================== Process Privileges Scan Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1956, C:\PROGRAM FILES\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE] Special Privilege Enabled: SeLoadDriverPrivilege [PID = 272, C:\WINDOWS\SYSTEM32\NVSVC32.EXE] Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1236, C:\PROGRAM FILES\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGNT.EXE] Special Privilege Enabled: SeLoadDriverPrivilege [PID = 2148, C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\EXCEL.EXE] ================================== API HOOK N/A ================================== Hidden Process N/A ================================== Bien qu'il soit là , il ne termine plus les programmes (Messenger et Excell sont actifs depuis plus de 20 minutes) Je reste à disposition pour de futures manipulations.

Salut Manipulation effectuée sans souci : Voici le rapport : File C:\WINDOWS\nibble.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine23C0000.VBN infected by "Trojan-Downloader.Win32.Tiny.fl" Virus. Action Taken: File Deleted. File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine23C0001.VBN infected by "Trojan-Downloader.Win32.Tiny.fl" Virus. Action Taken: File Deleted. File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine23C0002.VBN infected by "Trojan-Downloader.Win32.Tiny.fl" Virus. Action Taken: File Deleted. File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine23C0003.VBN infected by "Trojan-Downloader.Win32.Tiny.fl" Virus. Action Taken: File Deleted. File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5E00000.VBN infected by "Email-Worm.Win32.Zhelatin.cz" Virus. Action Taken: File Deleted. File C:\Documents and Settings\Turhan\Favoris\Türkiye Cumhuriyet Merkez Bankasi Günlük Döviz Kurlari.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP1\A0001014.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP2\A0002115.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP4\A0002138.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP5\A0002302.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002335.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002339.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002351.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002425.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002444.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\_OTMoveIt\MovedFiles\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\45EZSL2V\nibble[1].exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. File C:\_OTMoveIt\MovedFiles\WINDOWS\Help\mwrem.cin infected by "Backdoor.Win32.Agent.bxs" Virus. Action Taken: File Renamed. File C:\_OTMoveIt\MovedFiles\WINDOWS\nibble.exe infected by "Backdoor.Win32.Agent.bxt" Virus. Action Taken: File Renamed. Le fichier Nibble.exe avait réintégrer C:\Windows ce matin, il a terminé quelques programmes puis plus rien depuis quelques temps. Je l'ai supprimé , je regarde s'il réapparait. Plus d'informations un peu plus tard. Merci pour la procédure , le plus gros du boulot est fait il semblerait.

Re Depuis que je l'ai repéré dans le gestionnaire des tâches , j'ai essayé de le supprimer en mode normal comme en mode sans échec , mais sans succès. Par contre , il n'est effectivement pas dans C:\Windows mais bien dans C:\_OTMoveIt\MovedFiles\WINDOWS Après l'avoir bougé avec OT , je devais le supprimer?

Voici maintenant le rapport Kaspersky : Tuesday, October 02, 2007 3:10:36 AM Système d'exploitation : Microsoft Windows XP Professional, (Build 2600) Kaspersky On-line Scanner version : 5.0.83.0 Dernière mise à jour de la base antivirus Kaspersky : 2/10/2007 Enregistrements dans la base antivirus Kaspersky : 400224 Paramètres d'analyse Analyser avec la base antivirus suivante standard Analyser les archives vrai Analyser les bases de messagerie vrai Cible de l'analyse Poste de travail A:\ C:\ D:\ E:\ F:\ Statistiques de l'analyse Total d'objets analysés 33835 Nombre de virus trouvés 4 Nombre d'objets infectés 17 / 0 Nombre d'objets suspects 0 Durée de l'analyse 00:27:21 Nom de l'objet infecté Nom du virus Dernière action C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine23C0000.VBN Infecté : Trojan-Downloader.Win32.Tiny.fl ignoré C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine23C0001.VBN Infecté : Trojan-Downloader.Win32.Tiny.fl ignoré C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine23C0002.VBN Infecté : Trojan-Downloader.Win32.Tiny.fl ignoré C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine23C0003.VBN Infecté : Trojan-Downloader.Win32.Tiny.fl ignoré C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5E00000.VBN/backups/cent.exe.exe Infecté : Email-Worm.Win32.Zhelatin.cz ignoré C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5E00000.VBN/backups/pdp.exe.exe Infecté : Email-Worm.Win32.Zhelatin.cz ignoré C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5E00000.VBN ZIP: infecté - 2 ignoré C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5E00000.VBN CryptZ: infecté - 2 ignoré C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\NTUSER.DAT L'objet est verrouillé ignoré C:\Documents and Settings\LocalService\ntuser.dat.LOG L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Cookies\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Historique\History.IE5\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Historique\History.IE5\MSHist012007100220071003\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\45EZSL2V\nibble[1].exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\Documents and Settings\Turhan\Local Settings\Temporary Internet Files\Content.IE5\index.dat L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\NTUSER.DAT L'objet est verrouillé ignoré C:\Documents and Settings\Turhan\ntuser.dat.LOG L'objet est verrouillé ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP1\A0001014.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP2\A0002115.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP4\A0002138.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP5\A0002302.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002335.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\A0002339.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\System Volume Information\_restore{989293F2-1376-4753-8F40-BAF904A805D7}\RP6\change.log L'objet est verrouillé ignoré C:\WINDOWS\Debug\oakley.log L'objet est verrouillé ignoré C:\WINDOWS\Debug\PASSWD.LOG L'objet est verrouillé ignoré C:\WINDOWS\Help\access.cni L'objet est verrouillé ignoré C:\WINDOWS\Help\mwrem.cin Infecté : Backdoor.Win32.Agent.bxs ignoré C:\WINDOWS\Internet Logs\IAMDB.RDB L'objet est verrouillé ignoré C:\WINDOWS\Internet Logs\TURHAN-OM5L9K69.ldb L'objet est verrouillé ignoré C:\WINDOWS\Internet Logs\tvDebug.log L'objet est verrouillé ignoré C:\WINDOWS\nibble.exe Infecté : Backdoor.Win32.Agent.bxt ignoré C:\WINDOWS\nview.dll L'objet est verrouillé ignoré C:\WINDOWS\SchedLgU.Txt L'objet est verrouillé ignoré C:\WINDOWS\SoftwareDistribution\EventCache\{B9A4A533-DB3A-4710-8955-CC6467C152E9}.bin L'objet est verrouillé ignoré C:\WINDOWS\SoftwareDistribution\ReportingEvents.log L'objet est verrouillé ignoré C:\WINDOWS\Sti_Trace.log L'objet est verrouillé ignoré C:\WINDOWS\system32\config\AppEvent.Evt L'objet est verrouillé ignoré C:\WINDOWS\system32\config\default L'objet est verrouillé ignoré C:\WINDOWS\system32\config\default.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SAM L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SAM.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SecEvent.Evt L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SECURITY L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SECURITY.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\config\software L'objet est verrouillé ignoré C:\WINDOWS\system32\config\software.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\config\SysEvent.Evt L'objet est verrouillé ignoré C:\WINDOWS\system32\config\system L'objet est verrouillé ignoré C:\WINDOWS\system32\config\system.LOG L'objet est verrouillé ignoré C:\WINDOWS\system32\h323log.txt L'objet est verrouillé ignoré C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR L'objet est verrouillé ignoré C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA L'objet est verrouillé ignoré C:\WINDOWS\wiadebug.log L'objet est verrouillé ignoré C:\WINDOWS\wiaservc.log L'objet est verrouillé ignoré C:\WINDOWS\WindowsUpdate.log L'objet est verrouillé ignoré Je redémarre pour ZOnealarm , et je m'occupe de OT a+ Edit : Manipulation OT effectuée , nibble.exe a été bougé. Information : au démarrage , nibble.exe a essayé de se connecter a Internet , mais bloqué par Zonealarm. Par contre , il a terminé MSN.

Re Kaspersky est en cours , le fichier nibble.exe a bien été supprimé au démarrage , mais il est déja de retour (bye bye MSN). Concernant Symantec , le Norton Removal Tool me demande de supprimer Symantec Antivirus en utilisant "ajout/suppression" du panneau de configuration. Le souci , c'est que je n'ai pas cette option en cliquant sur SYmantec antivirus , il m'indique juste "utilisé rarement". Ajout : Nibble ferme aussi le panneau de configuration ^^ Edit : Zonealarm en cours aussi ^^ Question : le firewall de XP est-il utile?

Re , Voici le rapport Hijackthis : StartupList report, 02/10/2007, 01:39:11 StartupList version: 1.52.2 Started from : C:\Documents and Settings\Turhan\Bureau\HiJackThis\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\System32\nvsvc32.exe c:\windows\explorer.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Turhan\Bureau\HiJackThis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Turhan\Menu Démarrer\Programmes\Démarrage] *No files* Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage] *No files* Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = c:\windows\system32\userinit.exe [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime avgnt = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\system32\mshta.exe "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [{5945c046-1e7d-11d1-bc44-00c04fd912be}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] * StubPath = rundll32 iesetup.dll,IEAccessUserInst -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=c:\windows\explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Regedit.exe has no CompanyName property! It is either missing or named something else. - Regedit.exe has no OriginalFilename property! It is either missing or named something else. - Regedit.exe has no FileDescription property! It is either missing or named something else. Registry check failed! -------------------------------------------------- Enumerating Browser Helper Objects: *No BHO's found* -------------------------------------------------- Enumerating Task Scheduler jobs: *No jobs found* -------------------------------------------------- Enumerating Download Program Files: [Checkers Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab [{33564D57-0000-0010-8000-00AA00389B71}] CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB [WUWebControl Class] InProcServer32 = C:\WINDOWS\System32\wuweb.dll CODEBASE = http://www.update.microsoft.com/windowsupd...b?1191279058281 [shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\System32\mswsock.dll NameSpace #2: C:\WINDOWS\System32\winrnr.dll NameSpace #3: C:\WINDOWS\System32\mswsock.dll Protocol #1: C:\WINDOWS\system32\mswsock.dll Protocol #2: C:\WINDOWS\system32\mswsock.dll Protocol #3: C:\WINDOWS\system32\mswsock.dll Protocol #4: C:\WINDOWS\system32\rsvpsp.dll Protocol #5: C:\WINDOWS\system32\rsvpsp.dll Protocol #6: C:\WINDOWS\system32\mswsock.dll Protocol #7: C:\WINDOWS\system32\mswsock.dll Protocol #8: C:\WINDOWS\system32\mswsock.dll Protocol #9: C:\WINDOWS\system32\mswsock.dll Protocol #10: C:\WINDOWS\system32\mswsock.dll Protocol #11: C:\WINDOWS\system32\mswsock.dll Protocol #12: C:\WINDOWS\system32\mswsock.dll Protocol #13: C:\WINDOWS\system32\mswsock.dll Protocol #14: C:\WINDOWS\system32\mswsock.dll Protocol #15: C:\WINDOWS\system32\mswsock.dll Protocol #16: C:\WINDOWS\system32\mswsock.dll Protocol #17: C:\WINDOWS\system32\mswsock.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services Pilote ACPI Microsoft: System32\DRIVERS\ACPI.sys (system) Suppresseur d'écho acoustique (Noyau Microsoft): system32\drivers\aec.sys (manual start) Environnement de prise en charge de réseau AFD: \SystemRoot\System32\drivers\afd.sys (autostart) Avertissement: %SystemRoot%\System32\svchost.exe -k LocalService (disabled) Service de la passerelle de la couche Application: %SystemRoot%\System32\alg.exe (manual start) AntiVir PersonalEdition Classic Scheduler: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe" (autostart) AntiVir PersonalEdition Classic Guard: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe" (autostart) Gestion d'applications: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) Protocole client ARP 1394: System32\DRIVERS\arp1394.sys (manual start) Pilote de média asynchrone RAS: System32\DRIVERS\asyncmac.sys (manual start) Contrôleur de disque dur IDE/ESDI standard: System32\DRIVERS\atapi.sys (system) atitray: \??\C:\Program Files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys (system) Protocole client ATM ARP: System32\DRIVERS\atmarpc.sys (manual start) Audio Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Pilote audio Stub: System32\DRIVERS\audstub.sys (manual start) avgntdd: SYSTEM32\DRIVERS\avgntdd.sys (system) avgntmgr: SYSTEM32\DRIVERS\avgntmgr.sys (system) avipbb: System32\DRIVERS\avipbb.sys (system) Service de transfert intelligent en arrière-plan: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Explorateur d'ordinateur: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Symantec Settings Manager: "C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe" (disabled) Pilote de CD-ROM: System32\DRIVERS\cdrom.sys (system) Service d'indexation: C:\WINDOWS\System32\cisvc.exe (manual start) Gestionnaire de l'Album: %SystemRoot%\system32\clipsrv.exe (manual start) Application système COM+: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start) Services de cryptographie: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Client DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Pilote de disque: System32\DRIVERS\disk.sys (system) Service d'administration du Gestionnaire de disque logique: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) Pilote de Gestionnaire de disque logique: System32\drivers\dmio.sys (system) dmload: System32\drivers\dmload.sys (system) Gestionnaire de disque logique: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Synthétiseur DLS du noyau Microsoft: system32\drivers\DMusic.sys (manual start) Client DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (disabled) Filtre de décodeur DRM (Noyau Microsoft): system32\drivers\drmkaud.sys (manual start) Service de rapport d'erreurs: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Journal des événements: %SystemRoot%\system32\services.exe (autostart) Système d'événements de COM+: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start) Compatibilité avec le Changement rapide d'utilisateur: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Pilote de contrôleur de lecteur de disquettes: System32\DRIVERS\fdc.sys (manual start) Pilote de lecteur de disquettes: System32\DRIVERS\flpydisk.sys (manual start) Pilote du Gestionnaire de volume: System32\DRIVERS\ftdisk.sys (system) Énumérateur de port jeu: System32\DRIVERS\gameenum.sys (manual start) Classificateur de paquets générique: System32\DRIVERS\msgpc.sys (manual start) Aide et support: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Pilote de classe HID Microsoft: System32\DRIVERS\hidusb.sys (manual start) Pilote pour clavier i8042 et souris sur port PS/2: System32\DRIVERS\i8042prt.sys (system) Service COM de gravage de CD IMAPI: C:\WINDOWS\System32\imapi.exe (manual start) Pilote de filtre de trafic IP: System32\DRIVERS\ipfltdrv.sys (manual start) Pilote de tunnelage IP dans IP: System32\DRIVERS\ipinip.sys (manual start) Traducteur d'adresses réseau IP: System32\DRIVERS\ipnat.sys (manual start) Pilote IPSEC: System32\DRIVERS\ipsec.sys (system) Service énumérateur IR: System32\DRIVERS\irenum.sys (manual start) Pilote de bus Plug-and-Play ISA/EISA: System32\DRIVERS\isapnp.sys (system) Pilote de la classe Clavier: System32\DRIVERS\kbdclass.sys (system) Pilote HID de clavier: System32\DRIVERS\kbdhid.sys (system) Mélangeur audio Wave de noyau Microsoft: system32\drivers\kmixer.sys (manual start) Serveur: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Station de travail: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Assistance TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Affichage des messages: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Partage de Bureau à distance NetMeeting: C:\WINDOWS\System32\mnmsrvc.exe (disabled) Pilote de la classe Souris: System32\DRIVERS\mouclass.sys (system) Pilote HID de souris: System32\DRIVERS\mouhid.sys (manual start) Redirecteur client WebDav: System32\DRIVERS\mrxdav.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start) Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start) Proxy de service de répartition Microsoft: system32\drivers\MSKSSRV.sys (manual start) Proxy d'horloge de répartition Microsoft: system32\drivers\MSPCLOCK.sys (manual start) Proxy de gestion de qualité de répartition Microsoft: system32\drivers\MSPQM.sys (manual start) Pilote UART MIDI MPU-401 Microsoft: system32\drivers\msmpu401.sys (manual start) NAVENG: \??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20070730.016\naveng.sys (manual start) NAVEX15: \??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20070730.016\navex15.sys (manual start) Pilote TAPI NDIS d'accès distant: System32\DRIVERS\ndistapi.sys (manual start) NDIS mode utilisateur E/S Protocole: System32\DRIVERS\ndisuio.sys (manual start) Pilote réseau étendu NDIS d'accès distant: System32\DRIVERS\ndiswan.sys (manual start) Interface NetBIOS: System32\DRIVERS\netbios.sys (system) NetBIOS sur TCP/IP: System32\DRIVERS\netbt.sys (system) DDE réseau: %SystemRoot%\system32\netdde.exe (manual start) DSDM DDE réseau: %SystemRoot%\system32\netdde.exe (manual start) Ouverture de session réseau: %SystemRoot%\System32\lsass.exe (manual start) Connexions réseau: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Pilote réseau 1394: System32\DRIVERS\nic1394.sys (manual start) NLA (Network Location Awareness): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Fournisseur de la prise en charge de sécurité LM NT: %SystemRoot%\System32\lsass.exe (manual start) Stockage amovible: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) nTune Service: C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService (autostart) nv: System32\DRIVERS\nv4_mini.sys (manual start) Service for NVIDIA® nForce Audio Enumerator: system32\drivers\nvax.sys (manual start) Service for NVIDIA® nForce Audio: system32\drivers\nvapu.sys (manual start) NVR0Dev: \??\C:\WINDOWS\nvoclock.sys (manual start) NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart) Pilote de filtre de trafic IPX: System32\DRIVERS\nwlnkflt.sys (manual start) Pilote de transfert de trafic IPX: System32\DRIVERS\nwlnkfwd.sys (manual start) Contrôleurs hôte IEEE 1394 compatible OHCI: System32\DRIVERS\ohci1394.sys (system) Pilote de port parallèle: System32\DRIVERS\parport.sys (manual start) Pilote de bus PCI: System32\DRIVERS\pci.sys (system) PCIIde: System32\DRIVERS\pciide.sys (system) Plug-and-Play: %SystemRoot%\system32\services.exe (autostart) Services IPSEC: %SystemRoot%\System32\lsass.exe (autostart) Miniport réseau étendu (PPTP): System32\DRIVERS\raspptp.sys (manual start) Pilote processeur: System32\DRIVERS\processr.sys (system) Emplacement protégé: %SystemRoot%\system32\lsass.exe (autostart) Planificateur de paquets QoS: System32\DRIVERS\psched.sys (manual start) Pilote de liaison parallèle directe: System32\DRIVERS\ptilink.sys (manual start) PxHelp20: System32\Drivers\PxHelp20.sys (system) Pilote de connexion automatique d'accès distant: System32\DRIVERS\rasacd.sys (system) Gestionnaire de connexion automatique d'accès distant: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Miniport réseau étendu (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Gestionnaire de connexions d'accès distant: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Pilote PPPOE d'accès à distance: System32\DRIVERS\raspppoe.sys (manual start) Parallèle direct: System32\DRIVERS\raspti.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) RDPCDD: System32\DRIVERS\RDPCDD.sys (system) Pilote de redirecteur de périphérique Terminal Server: System32\DRIVERS\rdpdr.sys (manual start) Gestionnaire de session d'aide sur le Bureau à distance: C:\WINDOWS\system32\sessmgr.exe (manual start) Pilote de filtre de lecture digitale de CD audio: System32\DRIVERS\redbook.sys (system) Routage et accès distant: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Accès à distance au Registre: %SystemRoot%\system32\svchost.exe -k LocalService (disabled) Localisateur d'appels de procédure distante (RPC): %SystemRoot%\System32\locator.exe (manual start) Appel de procédure distante (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start) Pilote NT de carte Realtek PCI Ethernet à base RTL8029(AS): System32\DRIVERS\RTL8029.SYS (manual start) Gestionnaire de comptes de sécurité: %SystemRoot%\system32\lsass.exe (autostart) SAVRT: \??\C:\Program Files\Symantec AntiVirus\savrt.sys (manual start) SAVRTPEL: \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys (autostart) Prise en charge des cartes à puces: %SystemRoot%\System32\SCardSvr.exe (manual start) Carte à puce: %SystemRoot%\System32\SCardSvr.exe (manual start) Planificateur de tâches: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (manual start) Connexion secondaire: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Notification d'événement système: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) Pilote de filtre Serenum: System32\DRIVERS\serenum.sys (manual start) Pilote de port série: System32\DRIVERS\serial.sys (system) Pare-feu de connexion Internet (ICF) / Partage de connexion Internet (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Détection matériel noyau: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Symantec Network Drivers Service: "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" (disabled) Splitter audio du noyau Microsoft: system32\drivers\splitter.sys (manual start) Spouleur d'impression: %SystemRoot%\system32\spoolsv.exe (autostart) Pilote de filtre de restauration système: System32\DRIVERS\sr.sys (system) Service de restauration système: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Srv: System32\DRIVERS\srv.sys (manual start) Service de découvertes SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) ssmdrv: System32\DRIVERS\ssmdrv.sys (system) Acquisition d'image Windows (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start) Pilote de bus logiciel: System32\DRIVERS\swenum.sys (manual start) Synthétiseur de table de sons GC noyau Microsoft: system32\drivers\swmidi.sys (manual start) MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D29AE635-E4B5-4B20-AAC0-A3A0CC052390} (manual start) SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start) SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system) Périphérique audio système du noyau Microsoft: system32\drivers\sysaudio.sys (manual start) Journaux et alertes de performance: %SystemRoot%\system32\smlogsvc.exe (manual start) Téléphonie: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Pilote du protocole TCP/IP: System32\DRIVERS\tcpip.sys (system) Pilote de périphérique terminal: System32\DRIVERS\termdd.sys (system) Services Terminal Server: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Thèmes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled) Client de suivi de lien distribué: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) TVICHW32: \??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS (manual start) Pilote de mise à jour microcode: System32\DRIVERS\update.sys (manual start) Gestionnaire de téléchargement: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Hôte de périphérique universel Plug-and-Play: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Onduleur: %SystemRoot%\System32\ups.exe (manual start) Pilote parent générique USB Microsoft: System32\DRIVERS\usbccgp.sys (manual start) Concentrateur USB2: System32\DRIVERS\usbhub.sys (manual start) Pilote miniport de contrôleur hôte ouvert USB Microsoft: System32\DRIVERS\usbohci.sys (manual start) Classe d'imprimantes USB Microsoft: System32\DRIVERS\usbprint.sys (manual start) Pilote de scanneur USB: System32\DRIVERS\usbscan.sys (manual start) Pilote de stockage de masse USB: System32\DRIVERS\USBSTOR.SYS (manual start) VgaSave: \SystemRoot\System32\drivers\vga.sys (system) Cliché instantané de volume: %SystemRoot%\System32\vssvc.exe (manual start) Horloge Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Pilote ARP IP d'accès distant: System32\DRIVERS\wanarp.sys (manual start) Pilote WINMM de compatibilité audio WDM Microsoft: system32\drivers\wdmaud.sys (manual start) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (disabled) Infrastructure de gestion Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Numéro de série du média portable: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Extensions du pilote WMI: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Carte de performance WMI: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start) Mises à jour automatiques: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Configuration automatique sans fil: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter: System32\DRIVERS\yukonwxp.sys (manual start) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = *Registry value not found* Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_470171f4\UPDENGVDFTEST|||i -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- End of report, 31 661 bytes Report generated in 0,063 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Quelques réponses/informations : - c'est bien l'une des premières fois où j'essaie de "m'occuper" d'un virus d'une autre façon que par un formatage ^^. - Concernant autoruns , je l'ai utilisé lors d'une séquence provenant d'un guide de nettoyage facile "sans prise de tête" qui consistait en ce qui suit : Mode sans échec ATFCleaner Vider System32/dllcache Démarrer => MSconfig Antivir Spybot Autoruns => désactiver IE , Winlogon , Appinit , Winstock providers , Boot exec , Scheduled tasks , Logon Redémarrage normal Finalement , je n'ai pas tout désactiver dans autoruns , juste le lancement de quicktime et messenger au démarrage , ainsi que NavLogonSymantec AntiVirus Logon Notification (Verified) Symantec Corporation c:\windows\system32\navlogon.dll dans Logon. J'espère ne pas avoir fait des modifications inutiles et dangereuses , j'ai essayé d'être le plus prudent possible en l'utilisant. - Quelques observations par rapport à nibble.exe : jusqu'à maintenant , les programmes terminés lors de son apparition sont : Diablo 2 , Excell , Word , Hijackthis , avec une fréquence de 5 minutes environ . Désolé d'avoir été aussi long , et merci pour l'attention. a+

Re , J'avais des doutes sur ce fichier (premier post) , j'ai effectué cette manipulation dans l'après-midi sans aller au bout , je le refais sérieusement pour vérifier. Voici le rapport Virustotal : Antivirus Version Dernière mise à jour Résultat AhnLab-V3 2007.10.2.0 2007.10.01 - AntiVir 7.6.0.18 2007.10.01 - Authentium 4.93.8 2007.10.01 - Avast 4.7.1043.0 2007.10.01 - AVG 7.5.0.488 2007.10.01 - BitDefender 7.2 2007.10.02 - CAT-QuickHeal 9.00 2007.10.01 - ClamAV 0.91.2 2007.10.02 - DrWeb 4.33 2007.10.01 - eSafe 7.0.15.0 2007.10.01 - eTrust-Vet 31.2.5178 2007.10.01 - Ewido 4.0 2007.10.01 - FileAdvisor 1 2007.10.02 - Fortinet 3.11.0.0 2007.10.01 - F-Prot 4.3.2.48 2007.10.01 - F-Secure 6.70.13030.0 2007.10.01 - Ikarus T3.1.1.12 2007.10.01 - Kaspersky 7.0.0.125 2007.10.02 - McAfee 5131 2007.10.01 - Microsoft 1.2803 2007.10.02 - NOD32v2 2563 2007.10.01 - Norman 5.80.02 2007.10.01 - Panda 9.0.0.4 2007.10.01 Suspicious file Prevx1 V2 2007.10.02 Heuristic: Suspicious Downloader Rising 19.43.00.00 2007.10.01 - Sophos 4.22.0 2007.10.01 - Sunbelt 2.2.907.0 2007.10.02 - Symantec 10 2007.10.01 - TheHacker 6.2.6.075 2007.10.01 - VBA32 3.12.2.4 2007.09.30 - VirusBuster 4.3.26:9 2007.10.01 - Webwasher-Gateway 6.0.1 2007.10.01 - Information additionnelle File size: 52224 bytes MD5: 781a58f582521bb126ba21fbf7c0e9c9 SHA1: ae5b182936457fd889437147a631d43c043a0b20 Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...3814000877808DA Je suppose que je dois me procurer l'un des 2 antivirus l'ayant repéré? Merci , je reste à disposition.