[Résolu] Virus, malware, spyware, je ne sais pas

[alainj77]

Bonjour a tous

Comme vous avez été très efficaces lors de mon dernier problème il y a un an, je viens vous en poser un autre.

Je pense que j'ai du attraper quelque chose mais je ne sais pas qui. Je ne peux plus faire une analyse de virus, le PC se plante penadnt l'analyse et redémarre, et je ne peux plus installer ni désinstaller de programmes avec Windows Installer. ll est démarré, j'ai essayé toutes les manips que j'ai trouvé sur vos forums et chez Microsoft, mais tout se passe comme s'il n'était pas là.

J'ai apssé Spybot qui n'a rien trouvé, Adaware trouve des infections, mais ne peut pas les suprimer.

 

Je suis en Windows XP SP2.

Je joins un rapport Hijackthis fait en mode normal, s'il en faut un autre en mode sans échec, il suffit dde me le dire.

 

Logfile of HijackThis v1.99.1

Scan saved at 13:54:42, on 19/08/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

C:\Program Files\Shareaza\Shareaza.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\FICHIE~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\FICHIE~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Canon\MultiPASS\mpservic.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Ciel\Devis factures\WDF.exe

E:\Download\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} (AdSignerLCContrl Class) - https://static.impots.gouv.fr/tdir/static/a...gnerADP-1.1.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D18298EF-96C4-4BC4-9EE7-07B433D98DBA}: NameServer = 80.10.246.2,80.10.246.129

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\FICHIE~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FICHIE~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

 

Merci d'avance pour votre aide.

Modifié le 22 août 2008 par alainj77

[Gof]

Bonjour alainj77

 

On va fouiller un peu alors, pour l'instant rien d'inquiétant.

 

Télécharge DiagHelp.zip de Malekal_morte sur ton bureau.

• Décompresse le, sur ton bureau par exemple.
  
• Un nouveau dossier chercher va être créé DiagHelp.
  
• Ouvre le et double-clique sur go.cmd (le .cmd peut ne pas apparaître)
  
• Une fenêtre va s'ouvrir, choisis l'option 1
  
• L'analyse va commencer, ceci peut durer quelques minutes, laisse faire et appuie sur les touches quand on te le demande
  
• Une fenêtre internet va s'ouvrir, suis les consignes. Que cela fonctionne ou non, ferme la fenêtre, un rapport va s'ouvrir
  
• Copie/colle le contenu du bloc-note qui s'ouvre et joins le à ta prochaine réponse.
  

(il et possible que l'antivirus s'affole lors de l'analyse avec diaghelp, c'est un faux positif, il faut ignorer les alertes. )

[alainj77]

Bonjour Gof

Merci de ta réponse rapide, mais ça commence mal.

J'ai télécharger, j'ai décompressé, si je double click sur go.cmd c'est Spybot qui l'analyse, j'ai tenté de l'exécuter par Démarrer==>Exécuter, mais j'ai un message qui me dit que Windows ne peut pas ouvrir ce fichier (il doit connaître le prog utilisé.... ) je suppose que tu connais la suite lol

Donc bien sûr rien ne se passe

[Gof]

ReBonjour alainj77,

 

Il va te falloir désactiver tes outils de sécurité, ce sont eux sans doute qui empêche Diaghelp de fonctionner correctement.

 

Puis, recommencer le téléchargement, la décompression et l'exécution de l'outil.

[alainj77]

Re bonjour Gof

Je n'ai pas pu exécuter go.cmd par double click même après avoir désinstallé Spybot, je l'ai fait par une invite de commande. Voici le rapport

 

DiagHelp version v1.4 - http://www.malekal.com

excute le 19/08/2008 à 16:45:53,14

 

 

Liste des derniers fichies modifies/crees dans windir\system32 et prefetch

C:\WINDOWS\prefetch\CHCP.COM-17EDBDC9.pf -->19/08/2008 16:45:43

C:\WINDOWS\prefetch\CMD.EXE-034B0549.pf -->19/08/2008 16:44:37

C:\WINDOWS\prefetch\WINRAR.EXE-0AA31BB9.pf -->19/08/2008 16:43:08

C:\WINDOWS\prefetch\MCUIMGR.EXE-05B9316A.pf -->19/08/2008 16:42:47

C:\WINDOWS\prefetch\IEXPLORE.EXE-2D97EBE6.pf -->19/08/2008 16:39:38

C:\WINDOWS\prefetch\MSKAGENT.EXE-180ABA5C.pf -->19/08/2008 16:30:29

C:\WINDOWS\prefetch\MCSYSMON.EXE-045A2ADD.pf -->19/08/2008 16:27:48

C:\WINDOWS\prefetch\WMIPRVSE.EXE-0D449B4F.pf -->19/08/2008 16:27:13

C:\WINDOWS\prefetch\WUAUCLT.EXE-1360D60A.pf -->19/08/2008 16:27:03

C:\WINDOWS\prefetch\USNSVC.EXE-05B86444.pf -->19/08/2008 16:26:53

 

C:\WINDOWS\System32\drivers\mfesmfk.sys -->02/12/2007 12:51:42

C:\WINDOWS\System32\drivers\mfehidk.sys -->22/11/2007 06:44:08

C:\WINDOWS\System32\drivers\mfebopk.sys -->22/11/2007 06:44:08

C:\WINDOWS\System32\drivers\mfeavfk.sys -->22/11/2007 06:44:08

C:\WINDOWS\System32\drivers\mferkdk.sys -->22/11/2007 06:44:04

C:\WINDOWS\System32\drivers\AWRTRD.sys -->07/08/2007 13:58:08

C:\WINDOWS\System32\drivers\NSDriver.sys -->07/08/2007 13:56:58

 

C:\WINDOWS\System32\Config.MPF -->19/08/2008 16:26:20

C:\WINDOWS\System32\wpa.dbl -->19/08/2008 16:24:20

C:\WINDOWS\System32\PerfStringBackup.INI -->19/08/2008 06:03:48

C:\WINDOWS\System32\perfh00C.dat -->19/08/2008 06:03:48

C:\WINDOWS\System32\perfh009.dat -->19/08/2008 06:03:48

C:\WINDOWS\System32\perfc00C.dat -->19/08/2008 06:03:48

C:\WINDOWS\System32\perfc009.dat -->19/08/2008 06:03:48

C:\WINDOWS\System32\FNTCACHE.DAT -->19/08/2008 05:54:42

C:\WINDOWS\System32\$winnt$.inf -->19/08/2008 05:52:34

C:\WINDOWS\System32\nscompat.tlb -->19/08/2008 05:47:58

C:\WINDOWS\System32\amcompat.tlb -->19/08/2008 05:47:58

C:\WINDOWS\System32\WindowsLogon.manifest -->19/08/2008 05:46:47

C:\WINDOWS\System32\logonui.exe.manifest -->19/08/2008 05:46:47

C:\WINDOWS\System32\wuaucpl.cpl.manifest -->19/08/2008 05:46:39

C:\WINDOWS\System32\sapi.cpl.manifest -->19/08/2008 05:46:39

C:\WINDOWS\System32\nwc.cpl.manifest -->19/08/2008 05:46:39

C:\WINDOWS\System32\ncpa.cpl.manifest -->19/08/2008 05:46:39

C:\WINDOWS\System32\cdplayer.exe.manifest -->19/08/2008 05:46:39

C:\WINDOWS\System32\emptyregdb.dat -->19/08/2008 05:38:31

C:\WINDOWS\System32\TZLog.log -->19/08/2008 03:06:08

C:\WINDOWS\System32\eearooqp.tmp -->12/08/2008 19:00:08

C:\WINDOWS\System32\MRT.exe -->05/08/2008 20:11:01

C:\WINDOWS\System32\tzchange.exe -->14/07/2008 13:09:18

C:\WINDOWS\System32\xpsp3res.dll -->03/07/2008 11:42:35

C:\WINDOWS\System32\msfeedsbs.dll -->23/06/2008 18:28:20

 

C:\WINDOWS\WindowsUpdate.log -->19/08/2008 16:27:07

C:\WINDOWS\0.log -->19/08/2008 16:26:10

C:\WINDOWS\wiadebug.log -->19/08/2008 16:26:02

C:\WINDOWS\wiaservc.log -->19/08/2008 16:25:59

C:\WINDOWS\bootstat.dat -->19/08/2008 16:24:16

C:\WINDOWS\SchedLgU.Txt -->19/08/2008 16:22:42

C:\WINDOWS\svcpack.log -->19/08/2008 13:08:33

C:\WINDOWS\setupapi.log -->19/08/2008 13:05:25

C:\WINDOWS\KB893803v2.log -->19/08/2008 09:34:12

C:\WINDOWS\KB952954.log -->19/08/2008 09:10:12

C:\WINDOWS\KB950974.log -->19/08/2008 09:10:04

C:\WINDOWS\KB951698.log -->19/08/2008 09:09:54

C:\WINDOWS\KB951072-v2.log -->19/08/2008 09:09:44

C:\WINDOWS\KB953838.log -->19/08/2008 09:09:29

C:\WINDOWS\KB951748.log -->19/08/2008 09:09:00

 

winlogon.exe

Verified: Signed

svchost.exe

Verified: Signed

ws2_32.dll

Verified: Signed

user32.dll

Verified: Signed

tcpip.sys

Verified: Signed

ndis.sys

Verified: Signed

null.sys

Verified: Signed

 

 

ListDLLs v2.25 - DLL lister for Win9x/NT

Copyright © 1997-2004 Mark Russinovich

Sysinternals - www.sysinternals.com

 

------------------------------------------------------------------------------

explorer.exe pid: 1372

Command line: C:\WINDOWS\Explorer.EXE

 

Base Size Version Path

0x76f80000 0x7f000 2001.12.4414.0258 C:\WINDOWS\system32\CLBCATQ.DLL

0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll

0x76ac0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL

0x7d200000 0x2b2000 3.00.3790.2180 C:\WINDOWS\system32\msi.dll

0x164a0000 0x23000 5.02.5721.5145 C:\WINDOWS\system32\WPDShServiceObj.dll

0x109c0000 0x2c000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceTypes.dll

0x10930000 0x49000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceApi.dll

0x10000000 0x6000 2.06.0000.6253 C:\Program Files\SiteAdvisor\6253\saHook.dll

0x748f0000 0x130000 8.50.2162.0000 C:\WINDOWS\system32\msxml3.dll

0x14490000 0x12000 14.00.0000.0366 C:\Program Files\McAfee\VirusScan\scriptsn.dll

0x75be0000 0x6e000 5.06.0000.8820 C:\WINDOWS\system32\JScript.dll

0x73250000 0x67000 5.06.0000.8820 C:\WINDOWS\system32\VBScript.dll

0x73d20000 0xfe000 6.02.4131.0000 C:\WINDOWS\system32\MFC42.DLL

0x61d70000 0xe000 6.00.8665.0000 C:\WINDOWS\system32\MFC42LOC.DLL

0x74730000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll

0x029a0000 0x18000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll

0x03110000 0x4c000 8.00.0000.0000 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA

0x01d00000 0x2c000 C:\Program Files\WinRAR\rarext.dll

0x6c600000 0x29000 12.00.0172.0000 c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll

0x02ed0000 0x174000 1.01.0001.0001 C:\Program Files\Fichiers communs\Ahead\Lib\NeroDigitalExt.dll

0x7c140000 0x103000 7.10.3077.0000 C:\Program Files\Fichiers communs\Ahead\Lib\MFC71.DLL

0x7c340000 0x56000 7.10.3052.0004 C:\Program Files\Fichiers communs\Ahead\Lib\MSVCR71.dll

0x7c3a0000 0x7b000 7.10.3077.0000 C:\Program Files\Fichiers communs\Ahead\Lib\MSVCP71.dll

0x02800000 0x5b000 8.01.0000.0000 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll

0x78130000 0x9b000 8.00.50727.0163 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll

0x024e0000 0x10000 8.00.0000.0456 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

 

ListDLLs v2.25 - DLL lister for Win9x/NT

Copyright © 1997-2004 Mark Russinovich

Sysinternals - www.sysinternals.com

 

------------------------------------------------------------------------------

winlogon.exe pid: 564

Command line: winlogon.exe

 

Base Size Version Path

0x01000000 0x81000 \??\C:\WINDOWS\system32\winlogon.exe

0x74730000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll

0x20000000 0x18000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll

0x76ac0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL

0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll

0x76f80000 0x7f000 2001.12.4414.0258 C:\WINDOWS\system32\CLBCATQ.DLL

 

 

Le volume dans le lecteur C n'a pas de nom.

Le numéro de série du volume est E8F2-E0B7

 

Répertoire de C:\WINDOWS\system32

 

05/08/2004 14:00 6 144 csrss.exe

1 fichier(s) 6 144 octets

0 Rép(s) 19 508 543 488 octets libres

 

Contenu de Downloaded Program Files

Le volume dans le lecteur C n'a pas de nom.

Le numéro de série du volume est E8F2-E0B7

 

Répertoire de C:\WINDOWS\Downloaded Program Files

 

18/08/2008 10:17 <REP> .

18/08/2008 10:17 <REP> ..

31/03/2008 21:51 392 528 AdSignerADP.dll

12/12/2007 10:33 747 AdSignerADP.inf

31/03/2008 21:51 261 456 AdVerifierADP.dll

19/08/2008 05:46 65 desktop.ini

20/11/2007 17:04 1 523 536 FP_AX_CAB_INSTALLER.exe

16/05/2007 09:22 399 gp.inf

16/05/2007 09:22 166 512 gp.ocx

20/03/2008 15:10 367 LegitCheckControl.inf

28/02/2007 21:24 361 OGAControl.inf

28/08/2006 12:05 227 opuc.inf

20/11/2007 16:50 247 swflash.inf

11 fichier(s) 2 346 445 octets

 

Total des fichiers listés :

11 fichier(s) 2 346 445 octets

2 Rép(s) 19 508 539 392 octets libres

 

Recherche de rootkit! (Merci S!Ri)

sysbus32 présent! Possible infection rootkit Troj/Dropper-EC

sysbus32 présent! Possible infection Troj/Dropper-EC

 

Recherche d'infections connues

 

Export des clefs sensibles..

 

 

Liste des fichiers en exception sur le pare-feu XP SP2

 

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"

"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"

"C:\\Program Files\\FileZilla\\FileZilla.exe"="C:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla"

"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza Ultimate File Sharing"

"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"

"C:\\Program Files\\Fichiers communs\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Fichiers communs\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

 

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

Export de la clef SharedTaskScheduler

 

[sharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

 

 

 

exports des policies

REGEDIT4

 

[system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

 

 

Export des clefs sensibles..

Rechercher adresses sensibles dans le fichier HOSTS...

127.0.0.1 www.activexupdate.com

127.0.0.1 activexupdate.com

127.0.0.1 www.antispywareupdates.net

127.0.0.1 antispywareupdates.net

127.0.0.1 www.avpcheckupdate.com

127.0.0.1 avpcheckupdate.com

127.0.0.1 client.exeupdate.com

127.0.0.1 www.eupdatepage.com

127.0.0.1 eupdatepage.com

127.0.0.1 www.exeupdate.com

127.0.0.1 exeupdate.com

127.0.0.1 www.hotwinupdates.com

127.0.0.1 hotwinupdates.com

127.0.0.1 www.lavasoftupdate.com

127.0.0.1 lavasoftupdate.com

127.0.0.1 www.malwarewipeupdate.com

127.0.0.1 malwarewipeupdate.com

127.0.0.1 www.msupdate.net

127.0.0.1 msupdate.net

127.0.0.1 www.msupdater.net

127.0.0.1 msupdater.net

127.0.0.1 www.necessaryupdates.com

127.0.0.1 necessaryupdates.com

127.0.0.1 newupdates.lzio.com

127.0.0.1 redirect.msupdate.net

127.0.0.1 search.keyword.exeupdate.com

127.0.0.1 www.securityupdatesite.com

127.0.0.1 securityupdatesite.com

127.0.0.1 settings.updatemysettings.com

127.0.0.1 www.spyaxeupdate.com

127.0.0.1 spyaxeupdate.com

127.0.0.1 www.spyfalconupdate.com

127.0.0.1 spyfalconupdate.com

127.0.0.1 www.systemupdates.net

127.0.0.1 systemupdates.net

127.0.0.1 trial.updates.winsoftware.com

127.0.0.1 update.680180.net

127.0.0.1 update.shareaza.com

127.0.0.1 www.updatemysettings.com

127.0.0.1 updatemysettings.com

127.0.0.1 updates.spywarequake.com

127.0.0.1 www.urgentsystemupdate.biz

127.0.0.1 urgentsystemupdate.biz

127.0.0.1 www.urgentsystemupdate.com

127.0.0.1 urgentsystemupdate.com

127.0.0.1 windupdates.com

127.0.0.1 www.flwupdate.com

127.0.0.1 flwupdate.com

127.0.0.1 www.movupdate.com

127.0.0.1 movupdate.com

127.0.0.1 www.mpegupdate.com

127.0.0.1 mpegupdate.com

127.0.0.1 www.updatesantivirus.com

127.0.0.1 updatesantivirus.com

127.0.0.1 www.pandaantivirus-2007.com

127.0.0.1 pandaantivirus-2007.com

127.0.0.1 www.pandadownload-now.com

127.0.0.1 pandadownload-now.com

127.0.0.1 www.panda-hq.com

127.0.0.1 panda-hq.com

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-19 16:46:56

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ContentIndex\Catalogs\System]

"Location"="E:\System Volume Information"

"IsIndexingW3Svc"=dword:00000000

"IsIndexingNNTPSvc"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Abiosdsk]

"ErrorControl"=dword:00000000

"Group"="Primary disk"

"Start"=dword:00000004

"Tag"=dword:00000003

"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\abiosdsk]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\intelide]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\PptpMiniport]

"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EVXRVXRK]

"Type"=dword:00000001

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\EVXRVXRK.sys"

"DisplayName"="EVXRVXRK"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EVXRVXRK\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IntelIde]

"ErrorControl"=dword:00000001

"Group"="System Bus Extender"

"Start"=dword:00000000

"Tag"=dword:00000004

"Type"=dword:00000001

"ImagePath"=str(2):"system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PptpMiniport]

"Type"=dword:00000001

"Start"=dword:00000003

"ErrorControl"=dword:00000001

"ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"

"DisplayName"="Miniport réseau étendu (PPTP)"

"Description"="Miniport réseau étendu (PPTP)"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PptpMiniport\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\System]

"Location"="E:\System Volume Information"

"IsIndexingW3Svc"=dword:00000000

"IsIndexingNNTPSvc"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Abiosdsk]

"ErrorControl"=dword:00000000

"Group"="Primary disk"

"Start"=dword:00000004

"Tag"=dword:00000003

"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\abiosdsk]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PptpMiniport]

"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EVXRVXRK]

"Type"=dword:00000001

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\EVXRVXRK.sys"

"DisplayName"="EVXRVXRK"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EVXRVXRK\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelIde]

"ErrorControl"=dword:00000001

"Group"="System Bus Extender"

"Start"=dword:00000000

"Tag"=dword:00000004

"Type"=dword:00000001

"ImagePath"=str(2):"system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport]

"Type"=dword:00000001

"Start"=dword:00000003

"ErrorControl"=dword:00000001

"ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"

"DisplayName"="Miniport réseau étendu (PPTP)"

"Description"="Miniport réseau étendu (PPTP)"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysbus32]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wallpaper]

"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\DeluxeCD\Providers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CSSFilters]

"oavredirect"="{999937BC-30FE-11D4-BA52-00C04F6843FA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu\StartMenuRun]

"Type"="checkbox"

"Text"="@shell32.dll,-30474"

"HKeyRoot"=dword:80000001

"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

"ValueName"="StartMenuRun"

"CheckedValue"=dword:00000001

"UncheckedValue"=dword:00000000

"DefaultValue"=dword:00000001

"HelpID"="windows.hlp#51142"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowPrinters]

"Type"="checkbox"

"Text"="@shell32.dll,-30493"

"HKeyRoot"=dword:80000001

"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

"ValueName"="Start_ShowPrinters"

"CheckedValue"=dword:00000001

"UncheckedValue"=dword:00000000

"DefaultValue"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\ACTIVEX_OPTIN\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="1208"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\ALLOW_DYNSRC_VIDEO\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="120A"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2201"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\BBHVR\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2000"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2200"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\DISABLE]

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORCE_ADDRESS_BAR\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2104"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA]

"Type"="group"

"Text"="Soumettre les données de formulaire non codées"

"PlugUIText"="@inetcplc.dll,-4797"

"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\ALLOW]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Activer"

"PlugUIText"="@inetcplc.dll,-4803"

"ValueName"="1601"

"CheckedValue"=dword:00000000

"DefaultValue"=dword:00000003

"Mask"=dword:00000003

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\DENY]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="1601"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"Mask"=dword:00000003

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\QUERY]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Demander"

"PlugUIText"="@inetcplc.dll,-4804"

"ValueName"="1601"

"CheckedValue"=dword:00000001

"DefaultValue"=dword:00000003

"Mask"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\INC_UPLOAD_FILEPATH\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="160A"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\MIME_SNIFFING\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2100"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\RESTRICTED_PROTOCOLS\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2300"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\WINDOW_RESTRICTIONS\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2102"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\ZONE_ELEVATION\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2101"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\WINFX\LOOSE_XAML\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2402"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\WINFX\WINDOWS_BROWSER_APPLICATIONS\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2400"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\WINFX\XPS_DOCUMENTS\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2401"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\WinFXSetup\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2600"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\ACTIVEX_OPTIN\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="1208"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\ALLOW_DYNSRC_VIDEO\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="120A"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2201"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\BBHVR\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2000"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2200"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\JAVAPER\JAVA\DISABLE]

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver Java"

"PlugUIText"="@inetcplc.dll,-4818"

"ValueName"="1C00"

"CheckedValue"=dword:00000000

"DefaultValue"=dword:00000000

"HKeyRoot"=dword:80000002

"HelpID"="iexplore.hlp#50241"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORCE_ADDRESS_BAR\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2104"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA]

"Type"="group"

"Text"="Soumettre les données de formulaire non codées"

"PlugUIText"="@inetcplc.dll,-4797"

"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\ALLOW]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Activer"

"PlugUIText"="@inetcplc.dll,-4803"

"ValueName"="1601"

"CheckedValue"=dword:00000000

"DefaultValue"=dword:00000003

"HKeyRoot"=dword:80000002

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\DENY]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="1601"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"HKeyRoot"=dword:80000002

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\QUERY]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Demander"

"PlugUIText"="@inetcplc.dll,-4804"

"ValueName"="1601"

"CheckedValue"=dword:00000001

"DefaultValue"=dword:00000003

"HKeyRoot"=dword:80000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\MIME_SNIFFING\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2100"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\RESTRICTED_PROTOCOLS\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2300"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\WINDOW_RESTRICTIONS\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2102"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\ZONE_ELEVATION\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Désactiver"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2101"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\WINFX\LOOSE_XAML\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2402"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\WINFX\WINDOWS_BROWSER_APPLICATIONS\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2400"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\WINFX\XPS_DOCUMENTS\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2401"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\WinFXSetup\DISABLE]

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"PlugUIText"="@inetcpl.cpl,-4805"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Disable"

"Type"="radio"

"ValueName"="2600"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies\MedHigh]

"1001"=dword:00000001

"1004"=dword:00000003

"1200"=dword:00000000

"1201"=dword:00000003

"1206"=dword:00000003

"1207"=dword:00000003

"1208"=dword:00000003

"1209"=dword:00000003

"120A"=dword:00000003

"1400"=dword:00000000

"1402"=dword:00000000

"1405"=dword:00000000

"1406"=dword:00000003

"1407"=dword:00000001

"1408"=dword:00000003

"1601"=dword:00000000

"1604"=dword:00000000

"1605"=dword:00000000

"1606"=dword:00000000

"1607"=dword:00000003

"1608"=dword:00000000

"1609"=dword:00000001

"160A"=dword:00000000

"1800"=dword:00000001

"1802"=dword:00000000

"1803"=dword:00000000

"1804"=dword:00000001

"1806"=dword:00000001

"1809"=dword:00000000

"1A00"=dword:00020000

"1A02"=dword:00000000

"1A03"=dword:00000000

"1A04"=dword:00000003

"1A05"=dword:00000001

"1A06"=dword:00000000

"1C00"=dword:00010000

"1E05"=dword:00020000

"2000"=dword:00000000

"2100"=dword:00000000

"2101"=dword:00000000

"2102"=dword:00000003

"2103"=dword:00000003

"2104"=dword:00000003

"2105"=dword:00000003

"2200"=dword:00000003

"2201"=dword:00000003

"2300"=dword:00000001

"2301"=dword:00000000

"2400"=dword:00000000

"2401"=dword:00000000

"2402"=dword:00000000

"2600"=dword:00000000

"Description"="Help prevent malware from accessing your computer."

"DisplayName"="Internet recommended safety (medium high security)"

"Icon"="wininet.dll#00001206"

"TemplateIndex"=dword:00011500

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\begun.ru\autocontext]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nipd.it]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws]

"*"=dword:00000004

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssby.com]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it]

"*"=dword:00000004

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it]

"*"=dword:00000004

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\urlstat.ru]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\begun.ru\autocontext]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\nipd.it]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws]

"*"=dword:00000004

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ssby.com]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it]

"*"=dword:00000004

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it]

"*"=dword:00000004

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\urlstat.ru]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wallpaper]

"DisplayName"="Wallpaper"

"UninstallString"="C:\Program Files\Wallpaper\uninst.exe"

"DisplayIcon"="C:\Program Files\Wallpaper\Wallpaper.exe"

"DisplayVersion"="5.0.3"

"URLInfoAbout"="http://www.silver76.com/"

"Publisher"="Silver76"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]

"NoRun"=dword:00000000

"Days between clean up"=dword:0000003c

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU]

"0"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"1"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"2"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"3"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"4"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"5"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"6"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"7"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"8"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"9"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"10"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"11"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"12"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"13"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"14"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"15"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"16"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"17"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"18"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"19"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"20"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"21"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"22"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"23"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"24"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"25"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"26"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"27"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"28"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"29"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"30"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"31"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"32"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"33"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"34"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"35"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"36"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"MRUListEx"=hex:9b,00,00,00,9a,00,00,00,99,00,00,00,98,00,00,00,97,00,00,00,96,..

"37"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"38"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"39"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"40"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"41"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"42"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"43"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"44"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"45"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"46"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"47"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"48"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"49"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"50"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"51"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"52"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"53"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"54"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"55"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"56"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"57"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"58"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"59"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"60"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"61"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"62"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"63"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"64"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"65"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"66"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"67"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"68"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"69"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"70"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"71"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"72"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"73"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"74"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"75"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"76"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"77"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"78"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"79"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"80"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"81"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"82"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"83"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"84"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"85"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"86"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"87"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"88"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"89"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"90"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"91"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"92"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"93"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"94"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"95"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"96"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"97"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"98"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"99"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"100"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"101"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"102"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"103"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"104"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"105"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"106"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"107"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"108"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"109"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"110"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"111"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"112"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"113"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"114"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"115"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"116"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"117"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"118"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"119"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"120"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"121"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"122"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"123"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"124"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"125"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"126"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"127"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"128"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"129"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"130"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"131"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"132"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"133"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"134"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"135"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"136"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"137"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"138"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"139"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"140"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"141"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"142"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"143"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"144"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"145"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"146"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"147"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"148"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"149"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"150"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"151"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"152"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"153"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"154"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"155"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\begun.ru\autocontext]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nipd.it]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssby.com]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\urlstat.ru]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\begun.ru\autocontext]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\nipd.it]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ssby.com]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\urlstat.ru]

"*"=dword:00000004

 

scanning hidden files ...

 

C:\WINDOWS\system32\drivers\EVXRVXRK.sys 179712 bytes executable

 

scan completed successfully

hidden services: 3

hidden files: 1

 

 

KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

 

Process list by traversal of KiWaitListHead

 

4 - System

428 - cmd.exe

524 - mcmscsvc.exe

540 - csrss.exe

564 - winlogon.exe

608 - services.exe

620 - lsass.exe

816 - svchost.exe

860 - McNASvc.exe

936 - svchost.exe

984 - svchost.exe

1000 - McProxy.exe

1072 - Mcshield.exe

1080 - mpservic.exe

1096 - svchost.exe

1168 - aawservice.exe

1188 - MpfSrv.exe

1372 - explorer.exe

1468 - mcagent.exe

1476 - SiteAdv.exe

1536 - ctfmon.exe

1552 - msnmsgr.exe

1608 - MSCamS32.exe

2040 - msksrver.exe

3204 - IEXPLORE.EXE

3324 - alg.exe

3464 - usnsvc.exe

3612 - WinRAR.exe

4084 - mcsysmon.exe

 

Total number of processes = 29

NOTE: Under WinXP, this will not show all processes.

 

KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

 

Driver/Module list by traversal of PsLoadedModuleList

 

804D7000 - \WINDOWS\system32\ntoskrnl.exe

806EC000 - \WINDOWS\system32\hal.dll

F8A51000 - \WINDOWS\system32\KDCOM.DLL

F8961000 - \WINDOWS\system32\BOOTVID.dll

F8501000 - ACPI.sys

F8A53000 - \WINDOWS\system32\DRIVERS\WMILIB.SYS

F84F0000 - pci.sys

F8551000 - isapnp.sys

F8A55000 - intelide.sys

F87D1000 - \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

F8561000 - MountMgr.sys

F84D1000 - ftdisk.sys

F87D9000 - PartMgr.sys

F8571000 - VolSnap.sys

F84B9000 - atapi.sys

F8581000 - hpt3xx.sys

F84A1000 - \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

F8591000 - disk.sys

F85A1000 - \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

F8482000 - fltMgr.sys

F8470000 - sr.sys

F8965000 - hptpro.sys

F8459000 - KSecDD.sys

F83CC000 - Ntfs.sys

F839F000 - NDIS.sys

F8384000 - Mup.sys

F85B1000 - agp440.sys

F8731000 - \SystemRoot\system32\DRIVERS\p3.sys

F8329000 - \SystemRoot\system32\DRIVERS\atimpae.sys

F8315000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

F8891000 - \SystemRoot\system32\DRIVERS\RTL8029.SYS

F8899000 - \SystemRoot\system32\DRIVERS\RTL8139.SYS

F8741000 - \SystemRoot\system32\drivers\es1371mp.sys

F82F1000 - \SystemRoot\system32\drivers\portcls.sys

F8751000 - \SystemRoot\system32\drivers\drmk.sys

F82CE000 - \SystemRoot\system32\drivers\ks.sys

F88A1000 - \SystemRoot\system32\DRIVERS\fdc.sys

F82BA000 - \SystemRoot\system32\DRIVERS\parport.sys

F82A9000 - \SystemRoot\system32\DRIVERS\serial.sys

F8A0D000 - \SystemRoot\system32\DRIVERS\serenum.sys

F8761000 - \SystemRoot\system32\DRIVERS\i8042prt.sys

F88A9000 - \SystemRoot\system32\DRIVERS\kbdclass.sys

F88B1000 - \SystemRoot\system32\DRIVERS\mouclass.sys

F8771000 - \SystemRoot\system32\DRIVERS\imapi.sys

F8781000 - \SystemRoot\system32\DRIVERS\cdrom.sys

F8791000 - \SystemRoot\system32\DRIVERS\redbook.sys

F88B9000 - \SystemRoot\system32\DRIVERS\usbuhci.sys

F8286000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS

F8BC7000 - \SystemRoot\system32\DRIVERS\audstub.sys

F87A1000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys

F8A15000 - \SystemRoot\system32\DRIVERS\ndistapi.sys

F826F000 - \SystemRoot\system32\DRIVERS\ndiswan.sys

F87B1000 - \SystemRoot\system32\DRIVERS\raspppoe.sys

F87C1000 - \SystemRoot\system32\DRIVERS\raspptp.sys

F88C1000 - \SystemRoot\system32\DRIVERS\TDI.SYS

F825E000 - \SystemRoot\system32\DRIVERS\psched.sys

F85E1000 - \SystemRoot\system32\DRIVERS\msgpc.sys

F88C9000 - \SystemRoot\system32\DRIVERS\ptilink.sys

F88D1000 - \SystemRoot\system32\DRIVERS\raspti.sys

F85F1000 - \SystemRoot\system32\DRIVERS\termdd.sys

F8A77000 - \SystemRoot\system32\DRIVERS\swenum.sys

F8150000 - \SystemRoot\system32\DRIVERS\update.sys

F8A25000 - \SystemRoot\system32\DRIVERS\mssmbios.sys

F8601000 - \SystemRoot\system32\DRIVERS\usbhub.sys

F8A7B000 - \SystemRoot\system32\DRIVERS\USBD.SYS

F8611000 - \SystemRoot\System32\Drivers\NDProxy.SYS

F8A49000 - \SystemRoot\system32\DRIVERS\gameenum.sys

F88E1000 - \SystemRoot\system32\DRIVERS\flpydisk.sys

F8A7D000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS

F8C96000 - \SystemRoot\System32\Drivers\Null.SYS

F8A7F000 - \SystemRoot\System32\Drivers\Beep.SYS

F88F1000 - \SystemRoot\System32\drivers\vga.sys

F8A81000 - \SystemRoot\System32\Drivers\mnmdd.SYS

F8A83000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys

F88F9000 - \SystemRoot\System32\Drivers\Msfs.SYS

F8901000 - \SystemRoot\System32\Drivers\Npfs.SYS

F8360000 - \SystemRoot\system32\DRIVERS\rasacd.sys

F78D5000 - \SystemRoot\system32\DRIVERS\ipsec.sys

F787D000 - \SystemRoot\system32\DRIVERS\tcpip.sys

F7859000 - \SystemRoot\System32\Drivers\Mpfp.sys

F8641000 - \SystemRoot\system32\DRIVERS\ipfltdrv.sys

F7831000 - \SystemRoot\system32\DRIVERS\netbt.sys

F780F000 - \SystemRoot\System32\drivers\afd.sys

F8651000 - \SystemRoot\system32\DRIVERS\netbios.sys

F77E3000 - \SystemRoot\system32\DRIVERS\rdbss.sys

F774C000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys

F771C000 - \SystemRoot\system32\drivers\mfehidk.sys

F76FB000 - \SystemRoot\system32\DRIVERS\ipnat.sys

F8661000 - \SystemRoot\System32\Drivers\Fips.SYS

F8671000 - \SystemRoot\system32\DRIVERS\wanarp.sys

F8909000 - \SystemRoot\system32\DRIVERS\usbprint.sys

F76D8000 - \SystemRoot\System32\Drivers\Fastfat.SYS

F76C0000 - \SystemRoot\System32\Drivers\dump_atapi.sys

F8A91000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS

BF800000 - \SystemRoot\System32\win32k.sys

F8951000 - \SystemRoot\System32\watchdog.sys

F8A01000 - \SystemRoot\System32\drivers\Dxapi.sys

BF9C1000 - \SystemRoot\System32\drivers\dxg.sys

F8C26000 - \SystemRoot\System32\drivers\dxgthk.sys

BFF50000 - \SystemRoot\System32\atidrae.dll

F6E48000 - \SystemRoot\system32\DRIVERS\rspndr.sys

F8184000 - \SystemRoot\System32\Drivers\Cdfs.SYS

F68BB000 - \SystemRoot\system32\drivers\wdmaud.sys

F6AE8000 - \SystemRoot\system32\drivers\sysaudio.sys

F65E1000 - \SystemRoot\system32\DRIVERS\mrxdav.sys

F8AF7000 - \SystemRoot\System32\Drivers\ParVdm.SYS

F88E9000 - \??\C:\WINDOWS\system32\drivers\cis1284.sys

F6587000 - \??\C:\WINDOWS\system32\drivers\EVXRVXRK.sys

F6546000 - \SystemRoot\System32\Drivers\HTTP.sys

F64CB000 - \SystemRoot\system32\DRIVERS\srv.sys

F8859000 - \SystemRoot\system32\drivers\mfebopk.sys

F5FF7000 - \SystemRoot\system32\drivers\mfeavfk.sys

F6878000 - \SystemRoot\system32\drivers\mfesmfk.sys

F58EB000 - \SystemRoot\system32\drivers\kmixer.sys

F8BFE000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys

 

Total number of drivers = 115

 

Liste des programmes installes

 

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Flash Player ActiveX

Adobe Photoshop 7.0

Adobe Reader 8.1.2 - Français

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Archiveur WinRAR

AsfTools 3.1 (remove only)

Assistant de connexion Windows Live

Audacity 1.2.6

Canon MultiPASS ODBC Interface

Canon MultiPASS Suite 3.21

Canon ScanGear 4.0 pour MultiPASS

CCleaner (remove only)

FixMessenger

HijackThis 1.99.1

Lecteur Windows Media 11

LotoManager Pro 4.9

McAfee SecurityCenter

Microsoft FrontPage 2002

Microsoft LifeCam

Microsoft Office XP Professional

Microsoft Publisher 2002

Mozilla Firefox (2.0.0.5)

Nero 6

Nero Digital

Nero Media Player

NTREGOPT 1.1j

Shareaza 2.3.1.0

Skype™ 3.6

TTDX Configurator

WebFldrs XP

Windows Live installer

Windows Live Messenger

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

 

 

 

Le volume dans le lecteur C n'a pas de nom.

Le numéro de série du volume est E8F2-E0B7

 

Répertoire de C:\Program Files

 

19/08/2008 07:19 <REP> .

19/08/2008 07:19 <REP> ..

07/07/2008 15:20 <REP> Adobe

26/01/2008 10:54 <REP> Ahead

05/05/2007 15:32 <REP> AsfTools 3.1

19/01/2008 10:36 <REP> ATI Multimedia

29/06/2008 16:20 <REP> Audacity

25/02/2007 15:53 <REP> BaseDVDivX

12/02/2007 14:30 <REP> Canon

19/08/2008 07:19 <REP> CCleaner

10/03/2007 14:35 <REP> Ciel

12/02/2007 11:00 <REP> ComPlus Applications

30/07/2007 15:10 <REP> DialMessenger

30/07/2007 15:10 <REP> Dial-Messenger

07/03/2007 19:18 <REP> DivX

28/08/2007 18:32 <REP> DOSBox-0.72

19/05/2008 13:30 <REP> Fichiers communs

26/02/2007 08:41 <REP> FileZilla

20/01/2008 15:41 <REP> FixMessenger

16/08/2007 03:16 <REP> Google

14/03/2007 20:11 <REP> Hewlett-Packard

14/03/2007 20:07 <REP> HP

19/08/2008 05:39 <REP> Internet Explorer

18/05/2008 13:15 <REP> Inventel

09/11/2007 17:24 <REP> Java

18/08/2008 10:56 <REP> Lavasoft

07/07/2008 17:53 <REP> lotomanagerpro

07/07/2008 17:57 <REP> lotomanagerpro49

17/03/2007 11:32 <REP> Macromedia

15/08/2008 05:02 <REP> McAfee

22/07/2007 09:31 <REP> McAfee.com

13/08/2008 03:28 <REP> Messenger

03/03/2007 09:49 <REP> Micro Application

12/02/2007 11:04 <REP> microsoft frontpage

07/02/2008 13:40 <REP> Microsoft LifeCam

12/02/2007 11:28 <REP> Microsoft Office

17/05/2007 15:48 <REP> Movie Maker

22/01/2008 21:11 <REP> Mozilla Firefox

19/04/2007 16:01 <REP> MSN

12/02/2007 10:59 <REP> MSN Gaming Zone

19/04/2007 16:15 <REP> MSN Messenger

08/03/2007 08:01 <REP> MSXML 4.0

12/02/2007 11:01 <REP> NetMeeting

23/07/2008 10:32 <REP> NT Registry Optimizer

12/02/2007 10:59 <REP> Online Services

18/08/2008 20:40 <REP> Outlook Express

15/04/2007 06:45 <REP> Overland

12/03/2007 16:15 <REP> RegCleaner

21/10/2007 09:55 <REP> Samsung

12/02/2007 11:02 <REP> Services en ligne

28/05/2008 23:23 <REP> Shareaza

23/05/2008 17:34 <REP> SiteAdvisor

11/03/2008 10:26 <REP> Skype

19/08/2008 16:24 <REP> Spybot - Search & Destroy

04/02/2008 09:49 <REP> Wallpaper

12/07/2007 08:29 <REP> Winamp

20/01/2008 14:18 <REP> Windows Live

03/04/2007 17:55 <REP> Windows Media Connect 2

18/08/2008 20:40 <REP> Windows Media Player

12/02/2007 10:59 <REP> Windows NT

26/06/2008 16:44 <REP> WinRAR

12/02/2007 11:04 <REP> xerox

02/03/2007 16:45 <REP> XviD

12/02/2007 17:17 <REP> Yahoo!

0 fichier(s) 0 octets

64 Rép(s) 19 500 744 704 octets libres

Le volume dans le lecteur C n'a pas de nom.

Le numéro de série du volume est E8F2-E0B7

 

Répertoire de C:\Program Files\fichiers communs

 

19/05/2008 13:30 <REP> .

19/05/2008 13:30 <REP> ..

26/06/2008 16:17 <REP> Adobe

26/01/2008 10:40 <REP> Ahead

06/03/2007 13:36 <REP> Ciel

12/02/2007 11:25 <REP> Designer

17/03/2007 11:28 <REP> InstallShield

17/06/2007 07:59 <REP> Java

17/03/2007 11:33 <REP> Macromedia

17/03/2007 11:33 <REP> Macromedia Shared

18/11/2007 15:38 <REP> McAfee

26/01/2008 11:50 <REP> Microsoft Shared

12/02/2007 11:01 <REP> MSSoap

12/02/2007 11:52 <REP> ODBC

09/09/2007 21:20 <REP> PC SOFT

10/03/2007 14:37 <REP> Sage

12/02/2007 11:01 <REP> Services

16/02/2008 11:46 <REP> Skype

12/02/2007 11:52 <REP> SpeechEngines

18/08/2008 20:40 <REP> System

19/08/2008 07:30 <REP> Wise Installation Wizard

0 fichier(s) 0 octets

21 Rép(s) 19 500 744 704 octets libres

Le volume dans le lecteur C n'a pas de nom.

Le numéro de série du volume est E8F2-E0B7

 

Répertoire de C:\Program Files\fichiers communs\Microsoft Shared\Web Folders

 

26/01/2008 13:40 <REP> .

26/01/2008 13:40 <REP> ..

12/02/2007 11:25 <REP> 1033

26/01/2008 13:40 <REP> 1036

29/01/2004 16:08 1 277 952 MSONSEXT.DLL

13/02/2001 09:23 58 784 MSOSV.DLL

03/06/1999 13:09 122 937 MSOWS409.DLL

07/03/2001 08:00 127 033 MSOWS40c.DLL

06/08/2000 10:04 401 462 MSVCP60.DLL

29/01/2004 16:08 69 632 PKMAXCTL.DLL

29/01/2004 16:08 868 352 PKMCDO.DLL

29/01/2004 16:08 53 248 PKMCORE.DLL

29/01/2004 16:08 102 400 PKMFORMS.DLL

29/01/2004 16:38 634 880 PKMRES.DLL

29/01/2004 16:08 28 672 PKMSSTLB.DLL

22/01/2001 04:25 40 960 PKMTEMPL.DLL

29/01/2004 16:08 24 576 PKMTRACE.DLL

29/01/2004 16:08 86 016 PKMWS.DLL

29/01/2004 16:08 237 568 PROMDEMO.DLL

29/01/2004 16:08 184 320 SECMGR.DLL

29/01/2004 16:08 315 392 VAIDDMGR.DLL

29/01/2004 16:08 32 768 VAIMEM.DLL

18 fichier(s) 4 666 952 octets

4 Rép(s) 19 500 744 704 octets libres

 

 

 

 

c:\Documents and Settings\Alain\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_fr_FR.exe

c:\Documents and Settings\Alain\Application Data\MSNInstaller\msnauins.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\Shareaza_2.2.5.0.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ac97\A1mu600a\_ISDel.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ac97\A1mu600a\Setup.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ac97\A1mu600a\68\DOS\DOS4GW.EXE

c:\Documents and Settings\Alain\Mes documents\Downloads\ac97\A1mu600a\68\DOS\INSTALL.EXE

c:\Documents and Settings\Alain\Mes documents\Downloads\ac97\A1mu600a\74\WINAPP\SPKCFG.EXE

c:\Documents and Settings\Alain\Mes documents\Downloads\ac97\A1mu600a\ADeck\ADeck.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ac97\A1mu600a\ADeck\vpatch.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ms6577\915G_win2k_xp72\Setup.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ms6577\915G_win2k_xp72\Win2000\hkcmd.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ms6577\915G_win2k_xp72\Win2000\igfxcfg.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ms6577\915G_win2k_xp72\Win2000\igfxdiag.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ms6577\915G_win2k_xp72\Win2000\igfxext.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ms6577\915G_win2k_xp72\Win2000\igfxtray.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\ms6577\915G_win2k_xp72\Win2000\igfxzoom.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\alcchkid.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\alcrmv.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\alcrmv64.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\alcrmv9x.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\alcupd.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\AlcUpd64.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\ALCXDEV.EXE

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\ChCfg.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\GETDXVER.EXE

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\SetCDfmt.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\setup.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\WDM\alcrmv.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\WDM\alcrmv64.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\WDM\ChCfg.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\WDM\CPLUtl64.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\WDM\RTLCPL.exe

c:\Documents and Settings\Alain\Mes documents\Downloads\realtek\ALCXXX\WDM\SoundMan.exe

c:\Documents and Settings\Alain.OBELIX\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_fr_FR.exe

c:\Documents and Settings\Alain.OBELIX\Application Data\MSNInstaller\msnauins.exe

c:\Documents and Settings\Alain.OBELIX\Local Settings\Temp\0215731200818546mcinst.exe

c:\Documents and Settings\Alain.OBELIX\Local Settings\Temporary Internet Files\Content.IE5\GSYDS87G\DMSetup[1].exe

c:\Documents and Settings\Alain.OBELIX\Local Settings\Temporary Internet Files\Content.IE5\GSYDS87G\mvtapp[1].exe

c:\Documents and Settings\Alain.PC1GHZ\Bureau\spybotsd160.exe

c:\Documents and Settings\Alain.PC1GHZ\Local Settings\Application Data\Citrix\GoToAssist\GoToAssist_phone_application_482_fr.exe

c:\Documents and Settings\Alain.PC1GHZ\Mes documents\Downloads\Shareaza_2.2.5.0.exe

c:\Documents and Settings\Alain.PC1GHZ\Mes documents\Downloads\Shareaza_2.3.1.0.exe

c:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe

c:\Documents and Settings\All Users.WINDOWS\Documents\WallpaperSetup.exe

c:\Documents and Settings\Alain\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll

c:\Documents and Settings\Alain\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll

c:\Documents and Settings\Alain\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

c:\Documents and Settings\Alain.OBELIX\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll

c:\Documents and Settings\Alain.OBELIX\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll

c:\Documents and Settings\Alain.OBELIX\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

c:\Documents and Settings\Alain.PC1GHZ\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll

c:\Documents and Settings\Alain.PC1GHZ\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll

c:\Documents and Settings\Alain.PC1GHZ\Application Data\Microsoft\IdentityCRL\Production\ppcrlconfig.dll

c:\Documents and Settings\Alain.PC1GHZ\Application Data\OfficeUpdate12\oudetect.dll

c:\Documents and Settings\All Users\Application Data\Ciel\Données Communes\pdf.dll

c:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll

c:\Documents and Settings\All Users.WINDOWS\Application Data\Ciel\Données communes\pdf.dll

c:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll

c:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

c:\Documents and Settings\LocalService.AUTORITE NT.000\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

 

****** Fin du rapport DiagHelp

Veuillez svp envoyer le fichier C:\upload_moi_PC1GHZ.tar.gz a l'adresse http://upload.malekal.com

[Gof]

Re alainj77

 

Il y a quelques éléments inquiétants, on va voir ça de plus près.

 

Télécharge combofix.exe (par sUBs) et sauvegarde le sur ton bureau.

• Double-clique combofix.exe afin de l'exécuter et suis les instructions.
  
• Lorsque l'analyse sera complétée, un rapport apparaîtra.
  
• Copie-colle ce rapport dans ta prochaine réponse.
  

[alainj77]

Re Gof

J'ai toutes les chances, le site ne répond pas apparemment. Je vais attendre un peu et réessayer.

Mais félicitations d'ores et déja, vu la longueur du rapport je ne pensais pas avoir de réponse aussi vite.

[alainj77]

Re Gof

Bon j'y suis arrivé. J'ai eu des alertes de McAfee, je suppose que c'est pour Combofix.

Voila le rapport

 

ComboFix 08-08-18.05 - Alain 2008-08-19 19:14:08.1 - NTFSx86

Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.118 [GMT 2:00]

Endroit: C:\Documents and Settings\Alain.PC1GHZ\Bureau\ComboFix.exe

* Création d'un nouveau point de restauration

* Resident AV is active

 

 

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Alain.PC1GHZ\UserData

C:\Documents and Settings\Alain.PC1GHZ\UserData\4BT5LR6C\oWindowsUpdate[1].xml

C:\Documents and Settings\Alain.PC1GHZ\UserData\index.dat

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_poof

 

 

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-07-19 to 2008-08-19 ))))))))))))))))))))))))))))))))))))

.

 

2008-08-19 16:52 . 2008-08-19 16:52 8,219,629 --a------ C:\upload_moi_PC1GHZ.tar.gz

2008-08-19 16:43 . 2008-08-19 17:02 <REP> d-------- C:\DiagHelp

2008-08-19 08:55 . 2008-01-20 12:24 <REP> d--h----- C:\Documents and Settings\Administrateur\Voisinage r‚seau

2008-08-19 08:55 . 2008-01-20 12:24 <REP> d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression

2008-08-19 08:55 . 2008-08-18 19:47 <REP> d--h----- C:\Documents and Settings\Administrateur\ModŠles

2008-08-19 08:55 . 2008-01-20 12:24 <REP> d-------- C:\Documents and Settings\Administrateur\Mes documents

2008-08-19 08:55 . 2008-01-20 12:24 <REP> dr------- C:\Documents and Settings\Administrateur\Menu D‚marrer

2008-08-19 08:55 . 2008-01-20 12:24 <REP> d-------- C:\Documents and Settings\Administrateur\Favoris

2008-08-19 08:55 . 2008-01-20 12:24 <REP> d-------- C:\Documents and Settings\Administrateur\Bureau

2008-08-19 08:55 . 2008-08-19 08:55 <REP> d-------- C:\Documents and Settings\Administrateur

2008-08-19 07:19 . 2008-08-19 07:19 <REP> d-------- C:\Program Files\CCleaner

2008-08-19 05:50 . 2004-08-05 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex

2008-08-19 05:49 . 2004-08-05 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-08-19 05:48 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll

2008-08-19 05:46 . 2008-08-19 05:46 749 -rah----- C:\WINDOWS\WindowsShell.Manifest

2008-08-19 05:46 . 2008-08-19 05:46 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2008-08-19 05:46 . 2008-08-19 05:46 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2008-08-19 05:46 . 2008-08-19 05:46 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2008-08-19 05:46 . 2008-08-19 05:46 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2008-08-19 05:44 . 2004-08-05 14:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe

2008-08-19 05:41 . 2004-08-05 14:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll

2008-08-19 05:40 . 2004-08-05 14:00 218,624 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe

2008-08-19 05:40 . 2004-08-05 14:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe

2008-08-19 05:40 . 2004-08-05 14:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe

2008-08-19 05:31 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys

2008-08-19 05:31 . 2001-08-17 20:12 19,017 --a------ C:\WINDOWS\system32\drivers\RTL8029.sys

2008-08-19 05:28 . 2004-08-05 14:00 1,014,836 -ra------ C:\WINDOWS\SET43.tmp

2008-08-19 01:20 . 2008-08-19 01:20 <REP> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-08-18 19:47 . 2004-08-05 14:00 1,086,058 -ra------ C:\WINDOWS\SETC1.tmp

2008-08-18 19:47 . 2004-08-05 14:00 1,014,836 -ra------ C:\WINDOWS\SETBE.tmp

2008-08-18 19:47 . 2004-08-05 14:00 14,043 -ra------ C:\WINDOWS\SETCD.tmp

2008-08-13 03:36 . 2008-08-13 03:36 <REP> d-------- C:\WINDOWS\system32\Logs

2008-08-12 19:00 . 2008-08-12 19:00 29 --a------ C:\WINDOWS\system32\eearooqp.tmp

2008-08-12 18:57 . 2008-08-12 18:57 179,712 --a------ C:\WINDOWS\system32\drivers\EVXRVXRK.sys

2008-07-23 10:32 . 2008-07-23 10:32 <REP> d-------- C:\Program Files\NT Registry Optimizer

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-19 14:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-08-19 14:21 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2008-08-19 05:30 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard

2008-08-18 15:27 --------- d-----w C:\Documents and Settings\Alain.PC1GHZ\Application Data\Skype

2008-08-18 15:24 --------- d-----w C:\Documents and Settings\Alain.PC1GHZ\Application Data\skypePM

2008-08-18 08:56 --------- d-----w C:\Program Files\Lavasoft

2008-08-18 08:56 --------- d-----w C:\Documents and Settings\Alain\Application Data\Lavasoft

2008-08-18 08:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft

2008-08-17 12:26 --------- d-----w C:\Documents and Settings\Alain.PC1GHZ\Application Data\Ahead

2008-08-15 03:02 --------- d-----w C:\Program Files\McAfee

2008-07-31 09:53 --------- d-----w C:\Documents and Settings\Alain.PC1GHZ\Application Data\SiteAdvisor

2008-07-07 15:57 --------- d-----w C:\Program Files\lotomanagerpro49

2008-07-07 15:53 --------- d-----w C:\Program Files\lotomanagerpro

2008-06-29 14:20 --------- d-----w C:\Program Files\Audacity

2008-06-26 14:17 --------- d-----w C:\Program Files\Fichiers communs\Adobe

2008-05-19 11:19 691,545 ----a-w C:\WINDOWS\unins000.exe

2008-02-16 09:49 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat

2008-01-26 11:31 61,248 ----a-w C:\Documents and Settings\Alain.PC1GHZ\Application Data\GDIPFONTCACHEV1.DAT

2007-03-04 06:58 84,008 ----a-w C:\Documents and Settings\Alain\Application Data\GDIPFONTCACHEV1.DAT

2007-03-04 06:58 84,008 ----a-w C:\Documents and Settings\Alain.OBELIX\Application Data\GDIPFONTCACHEV1.DAT

.

 

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2008-01-01 17:49 4739072]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 23:57 36640]

"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]

"MP_STATUS_MONITOR"="C:\Program Files\Canon\MultiPASS\monitr32.exe" [2001-04-13 13:19 290816]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-02-01 18:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe"

"MPTBox"="C:\Program Files\Canon\MultiPASS\MPTBox.exe"

"VX1000"=C:\WINDOWS\vVX1000.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"C:\\Program Files\\FileZilla\\FileZilla.exe"=

"C:\\Program Files\\Shareaza\\Shareaza.exe"=

"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=

"C:\\Program Files\\Fichiers communs\\McAfee\\MNA\\McNASvc.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2004-01-05 09:10]

R0 hptpro;hptpro;C:\WINDOWS\system32\DRIVERS\hptpro.sys [2003-01-27 15:12]

R2 cis1284;cis1284;C:\WINDOWS\system32\drivers\cis1284.sys [2001-04-13 10:09]

R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 23:45]

S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 23:46]

.

Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'

 

2008-08-14 C:\WINDOWS\Tasks\McDefragTask.job

- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

 

2008-07-31 C:\WINDOWS\Tasks\McQcTask.job

- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Alain.PC1GHZ\Application Data\Mozilla\Firefox\Profiles\m9qyjnid.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.fr

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-19 19:21:36

Windows 5.1.2600 Service Pack 2 NTFS

 

Balayage processus cach‚s ...

 

Balayage cach‚ autostart entries ...

 

Balayage des fichiers cach‚s ...

 

Scan termin‚ avec succŠs

Les fichiers cach‚s: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Abiosdsk]

 

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EVXRVXRK]

"ImagePath"="\??\C:\WINDOWS\system32\drivers\EVXRVXRK.sys"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinSock2]

 

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\PROGRA~1\FICHIE~1\McAfee\MNA\McNASvc.exe

C:\PROGRA~1\FICHIE~1\McAfee\McProxy\McProxy.exe

C:\Program Files\McAfee\VirusScan\Mcshield.exe

C:\Program Files\McAfee\MPF\MpfSrv.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\McAfee\MSK\msksrver.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Temps d'accomplissement: 2008-08-19 19:27:18 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-19 17:27:05

 

Pre-Run: 19,425,083,392 octets libres

Post-Run: 19,749,986,304 octets libres

 

179 --- E O F --- 2008-08-19 01:08:55

[alainj77]

Bonjour

Cette nuit a nouveau analyse programmée de virus ===> pc s 'arrête et redémarre, aucune analyse possible depuis le 15/08.

Donc apparemment il doit rester des choses, ou dois je formater et réinstaller Windows?

Merci

[Gof]

Bonjour alainj77

 

Donc apparemment il doit rester des choses, ou dois je formater et réinstaller Windows?

Cela est rarement nécessaire ; avec souvent un peu d'obstination et de courage, on fini par trouver ce qu'il ne va pas. Je vais te demander d'éviter de faire des manipulations seul de ton côté, afin d'éviter tout souci. Ensuite, je vais te demander d'effectuer deux petites choses : une analyse avec un outil particulier, et une analyse en ligne d'un fichier.

 

 

Analyse d'un fichier

• Assure toi d'avoir l'accès aux fichiers et dossiers cachés.

  Pour afficher les fichiers et dossiers cachés du systéme :

  • Démarrer, Poste de travail ou autre dossier, Menu Outils -> Option des dossiers -> onglet Affichage :
    
  • Cocher la case : Afficher les fichiers et dossiers cachés
    
  • Décocher la case : Masquer les extensions des fichiers dont le type est connu
    
  • Décocher la case : Masquer les fichiers protégés du système d'exploitation
    ---> Répondre OUI à la demande de confirmation
    
  • Cliquer Appliquer puis OK
    

 

• Rends toi sur ce lien : Virus Total
  • Clique sur le bouton Parcourir...
    
  • Parcours tes dossiers jusque à ce fichier, si tu le trouves :
    
  • C:\WINDOWS\system32\drivers\EVXRVXRK.sys
    
  • Clique sur Envoyer le fichier, et si VirusTotal dit que le fichier a déjà été analysé, clique sur le bouton Reanalyse le fichier maintenant.
    
  • Laisse le site travailler tant que "Situation actuelle : en cours d'analyse" est affiché.
    
  • Il est possible que le fichier soit mis en file d'attente en raison d'un grand nombre de demandes d'analyses. Dans ce cas, il te faudra patienter sans réactualiser la page.
    
  • Lorsque l'analyse est terminée ("Situation actuelle: terminé"), clique sur Formaté (en haut à gauche)
    
  • Une nouvelle fenêtre de ton navigateur va apparaître
    
  • Clique alors sur cette image :
    
  • Fais un clic droit sur la page, et choisis Sélectionner tout, puis copier
    
  • Enfin colle le résultat dans ta prochaine réponse.
    NB : Peu importe le résultat, il est important de me communiquer le résultat de toute l'analyse.
    

  Il est possible que tes outils de sécurité réagissent à l'envoi du fichier, auquel cas il faudra leur faire ignorer les alertes.

 

 

Génération d'un nouveau rapport

• Télécharge

gmer.

• Déconnecte toi d'internet si possible et ferme tous les programmes.
  
• Décompresse le fichier zip et double-clique sur gmer.exe
  IMPORTANT: Si une alerte de ton antivirus apparaît pour le fichier gmer.sys ou gmer.exe, laisse le s'executer.
  
• Clique sur l'onglet "rootkit"
  
• A droite, assure toi que tout soit coché
  
• Clique sur Scan
  
• Lorsque l'analyse est terminée, clic sur "copy"
  

Ouvre le bloc-note et clique sur le Menu Edition puis Coller. Le rapport doit alors apparaître.

Enregistre le fichier sur ton bureau et copie-colle le contenu ici.