Virus, rapport hijjackthis

[Diwana]

oki!

[Thanos]

essaie ce dernier utilitaire stp pour voir (on fera le ménage dans tout ca plus tard !)>

 

Télécharge SREng (par Smallfrogs) de ce lien:

http://www.kztechs.com/eng/download.html

 

Extrais tout son contenu sur ton Bureau

Du dossier sreng2 qui se trouve maintenant sur ton Bureau, double clique sur SREng.exe afin de lancer l'outil

Clique sur Smart Scan

Ensuite, clique sur le bouton [scan]

 

Lorsque complété, clique sur le bouton [save Reports]

Sauvegarde le rapport sur ton Bureau

Copie/colle le contenu du fichier SREnglLOG.log dans ta prochaine réponse, s'il te plaît.

[Diwana]

Tadammmmmmmmmmm...

 

et non, il ne s'execute pas...pas de message d'erreur...rien, nada, walou...un grand silence!!!!!!!!!!!!!!!

[Thanos]

Je vais te faire essayer un dernier tool, puis j'alerte la cavalerie Je vais me renseigner auprès de personnes compétentes à ce sujet

 

te souviens tu du nom de rootkit que Panda aurait trouvé?

[Diwana]

Non, je me souviens pas...

 

Han, merci, c'est super sympa!

[Thanos]

j'aimerai que tu tentes de scanner ton pc avec cet utilitaire en mode sans échec stp>

 

Étape 1:

Télécharge eScan Antivirus Toolkit ici. Sauvegarde-le sur ton Bureau.

Avant de lancer le programme, il faut le mettre à jour tel qu'indiqué à l'étape 2.

 

Étape 2:

Voici comment mettre l'outil à jour :

 

1.) Double-clique le fichier mwav.exe qui se trouve sur le Bureau; dézippe les fichiers dans le nouveau dossier suggéré (C:\Kaspersky). Le programme va se lancer, et tu dois le quitter (clique sur "Exit" puis "Exit").

 

2.) Double-clique sur le Poste de travail, puis double-clique sur le lecteur principal (habituellement C:\), double-clique sur le dossier Kaspersky; ensuite, double-clique sur le fichier kavupd.exe. Tu verras maintenant une fenêtre DOS apparaître, et la mise à jour se complètera en quelques minutes.

 

3.) Lorsque la mise à jour sera complétée, tu verras "Press any key to continue"; tape sur une clé pour continuer. Deux nouveaux répertoires (dossiers) ont été créés lors de la mise à jour (C:\Bases et C:\Downloads).

 

4.) Sélectionne/copie tous les fichiers présents dans le dossier C:\Downloads, puis colle-les dans le dossier C:\Kaspersky. Accepte à l'invite de remplacer les fichiers existants.

 

Ne pas lancer le scan tout de suite !

 

Étape 3:

Redémarre en mode Sans Échec :

1) Redémarre ton ordi

2) Tapote la touche F8 immédiatement, juste après le "Bip"

3) Tu verras un écran avec options de démarrage apparaître

4) Choisi la première option : Sans Échec, et valide avec "Entrée"

5) Choisi ton compte régulier, et non Administrateur

 

 

Étape 4:

Du mode Sans Échec, voici comment utiliser le programme :

 

1.) Pour lancer "eScan Antivirus Toolkit", trouve le fichier mwavscan.com situé dans le dossier C:\Kaspersky

 

2.) Double-clique sur mwavscan.com; l'interface d'eScan va apparaître à l'écran.

 

3.) Il est très important de bien cocher ces boîtes sous Scan Option : Memory, Registry, Startup Folders, System Folders, Services.

 

4.) Coche la boîte Drive, ce qui donne accès à une nouvelle boîte Drive (bouton rond) juste dessous; coche ce bouton "Drive" (très important..), et tu verras une nouvelle boîte de navigation apparaître à la droite. Clique sur la petite flèche de cette boîte and choisi la lettre de ton disque dur, habituellement C:\.

 

5.) Juste au-dessous, assure-toi que Scan All Files est coché, et non Program Files.

 

6.) Clique sur Scan Clean et laisse le tool vérifier tout le disque dur (ça peut être long..). Lorsque terminé, tu verras Scan Completed. Ne pas quitter tout de suite !

 

7.) Ouvre un nouveau fichier Bloc notes (clique sur "Démarrer" >> "Programmes" >>"Accessoires" >> "Bloc notes"), puis copie/colle tout le contenu de la fenêtre Virus Log Information (la deuxième, au bas) dans le fichier texte, et sauvegarde le. eScan génère également un rapport complet dans le dossier C:\Kaspersky (nommé mwav.log), mais il est trop lourd pour poster sur le forum.

 

Ferme le programme. Redémarre ton PC en mode Normal. Poste (copie/colle) le rapport que tu as sauvegardé dans ta prochaine réponse.

 

Copie/colle ces instructions dans un fichier texte car une partie de la procédure s'effectuera en mode sans échec (donc pas d'accès à internet!) Courage

Modifié le 23 avril 2007 par charles ingals

[Diwana]

Aloa

 

Pour l'instant, ça marche, le scan est en cours en mode sans echec

Je te poste le rapport quand il sera terminé

 

[Diwana]

Voici le rapport de Escan antivirus...

 

File C:\WINDOWS\system32\cmdow.exe tagged as not-a-virus:RiskTool.Win32.HideWindows. No Action Taken.

File C:\WINDOWS\system32\cmdow.exe tagged as not-a-virus:RiskTool.Win32.HideWindows. No Action Taken.

File C:\System Volume Information\_restore{6741C34F-8CCC-4775-8A74-E72D0A9F60C4}\RP0\A0000004.exe tagged as not-a-virus:RiskTool.Win32.HideWindows. No Action Taken.

[Thanos]

salut

 

Bon rien de bien concluant sur ce rapport!

 

Tout d'abord j'aimerai que tu fasses cette petite manipulation simple >

 

Fais un clic doit sur le fichier siltentrunners et dans la liste qui se déroule, choisis "Ouvrir avec" > clique sur "Microsoft Windows Based Script Host".Si tu ne vois pas cette proposition, clique sur "Choisir le Programme" et sélectionne

"Microsoft Windows Based Script Host" puis coche la case "Toujours utiliser ce programme pour ouvrir les fichiers de ce type".

 

Si ca ne fonctionne pas, télécharge et installe Windows Script > http://www.microsoft.com/downloads/details...;displaylang=fr

Redémarre ton pc et relance stp silent runners.

Modifié le 24 avril 2007 par charles ingals

[Diwana]

aloa

 

Voici le rapport de Silentrunners qui a bien voulu s'executer aprés l'installation de windows script:

 

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"TVAgent WiFi" = "C:\Program Files\Kit ADSL\Wizard\Agent_WiFi.exe" ["n9uf telecom"]

"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

"AMonitor" = "C:\Program Files\Tiny Firewall Pro\amon.exe" ["Tiny Software, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Broadcom Wireless Manager UI" = "C:\WINDOWS\system32\WLTRAY" ["Broadcom Corporation"]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{B930BA63-9E5A-11D3-A288-0000E80E2EDE}\(Default) = (no title provided)

-> {HKLM...CLSID} = "IECatcher Class"

\InProcServer32\(Default) = "C:\Program Files\Mass Downloader\MDHELPER.DLL" [empty string]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"

-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"

-> {HKLM...CLSID} = "IE Microsoft AutoComplete"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Mes dossiers de partage"

\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {HKLM...CLSID} = "AlcoholShellEx"

\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<<!>> "AppInit_DLLs" = "UmxSbxExw.dll" ["Tiny Software Inc."]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> PFW\DLLName = "UmxWnp.Dll" ["Tiny Software Inc."]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

 

"LowRiskFileTypes" = (REG_SZ) .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

 

"SaveZoneInformation" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

"HideZoneInfoOnProperties" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"CDRAutoRun" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

"NoStrCmpLogical" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoSaveSettings" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Desktop|

Don't save settings at exit}

 

"NoTrayItemsDisplay" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Hide the notification area}

 

"NoToolbarsOnTaskbar" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoResolveTrack" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoResolveSearch" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoNetworkConnections" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Network Connections from Start Menu}

 

"NoRun" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoControlPanel" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoSMHelp" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Help menu from Start Menu}

 

"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoFind" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoSMMyPictures" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove My Pictures icon from Start Menu}

 

"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoStartMenuMFUprogramsList" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoUserNameInStartMenu" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoStartMenuMorePrograms" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove All Programs list from the Start menu}

 

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoInstrumentation" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoCDBurning" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

"NoSMBalloonTip" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"DisallowCpl" = (REG_DWORD) hex:0x00000001

{User Configuration|Administrative Templates|Control Panel|

Hide specified control panel applets / items}

 

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"CDRAutoRun" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

"NoSimpleStartMenu" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

 

"1" = (REG_SZ) Polices

{unrecognized setting}

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

"SynchronousMachineGroupPolicy" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"SynchronousUserGroupPolicy" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Diwaworld\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "Diwaworld" & "All Users" startup folders:

-----------------------------------------------------------

 

C:\Documents and Settings\Diwaworld\Menu Démarrer\Programmes\Démarrage

"Rainlendar" -> shortcut to: "C:\Program Files\Rainlendar\Rainlendar.exe" ["Rainy"]

 

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage

"Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"

-> {HKLM...CLSID} = "Easy-WebPrint"

\InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]

 

Explorer Bars

 

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Rechercher"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Console Java (Sun)"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

 

{0FD01980-CCCB-11D3-80D4-0000E80E2EDE}\

"ButtonText" = "Mass Downloader"

"MenuText" = "&Mass Downloader"

"Exec" = "C:\Program Files\Mass Downloader\massdown.exe" [file not found]

 

{85D1F590-48F4-11D9-9669-0800200C9A66}\

"MenuText" = "Uninstall BitDefender Online Scanner v8"

"Exec" = "%windir%\bdoscandel.exe" [null data]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Recherche"

 

{A0E6D3BD-A661-447D-8634-0751467857F3}\

"ButtonText" = "Diminuer la page"

"Script" = "C:\Program Files\UTILS\EasyRead\ZoomOut.js" [file not found]

 

{AEBB571B-4C48-438D-808D-999F168CDECE}\

"ButtonText" = "Agrandir la page"

"Script" = "C:\Program Files\UTILS\EasyRead\ZoomIn.js" [file not found]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Fichiers communs\Acronis\Schedule2\schedul2.exe"" ["Acronis"]

FW Configuration Interpreter, UmxCfg, ""C:\Program Files\Fichiers communs\PFShared\UmxCfg.exe"" ["Tiny Software, Inc."]

FW Live Update, UmxLU, ""C:\Program Files\Fichiers communs\PFShared\umxlu.exe"" ["Tiny Software, Inc."]

FW Policy Manager, UmxPol, ""C:\Program Files\Fichiers communs\PFShared\UmxPol.exe"" ["Tiny Software Inc."]

FW User-Mode Helper, UmxFwHlp, ""C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe"" ["Tiny Software, Inc."]

StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

----------

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 71 seconds, including 18 seconds for message boxes)