[résolu]Trojans multiples et multipliés

dreamer9 · le 15 août 2005

OK

dreamer9 · le 15 août 2005

Re et encore merci.

Alors,

j'ai fixé les lignes,

J'ai désactivé le service sys.exe (mais il n'était pas écrit "file missing"),

En revanche, je ne trouve pas "upnpdrv.exe"...???

dreamer9 · le 15 août 2005

PS :

Logfile of HijackThis v1.99.1

Scan saved at 14:59:03, on 15/08/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.neuf.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"

O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\9 Telecom\modem ADSL USB Comtrend CT-350\DSLMON.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{EC7270E1-2A8F-40AD-9A02-4B418FC01216}: NameServer = 194.117.200.10

O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\nith.dll

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: Local Security Authority Server (LSA Server) - Unknown owner - C:\WINDOWS\system32\sys.exe (file missing)

O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINDOWS\System32\upnpdrv.exe (file missing)

dreamer9 · le 15 août 2005

Re PS :

Toujours les fenêtres intempestives.....

le 15 août 2005

Bonjour, télécharge L2Mfix

http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe

- télécharger sur le bureau et double-cliquer sur le fichier L2Mfix.exe

- cliquer sur le bouton "Install" pour dézipper

---

- ouvrir le dossier L2Mfix créé sur le bureau

- double-cliquer sur L2Mfix.bat et choisir l'option 1 Run Find Log (entrer 1)

- après 1 ou 2 minutes de recherche, il y a ouverture du Bloc-note ; poster le contenu sur le forum.

(ne pas utiliser l'option 2 ni aucun autre fichier du dossier L2Mfix)

- fermer tous les programmes parce qu'il va y avoir reboot automatique

----------------------------------------------------------------------

- ouvrir le dossier L2Mfix créé sur le bureau

- double-cliquer sur L2Mfix.bat, choisir l'option 2 Run Fix (entrer 2) et appuyer sur n'importe quelle touche pour redémarrer l'ordinateur

Après redémarrage, le bureau et les icônes vont apparaître puis disparaître, c'est normal !

- L2Mfix va rescanner le disque ; après 1 ou 2 minutes de recherche, ouverture du Bloc-note ; poster le contenu sur le forum en même temps qu'un nouveau rapport HijackThis.

(n'utiliser aucun autre fichier du dossier L2Mfix)

dreamer9 · le 15 août 2005

Ok merci

dreamer9 · le 15 août 2005

Bien.

J'ai donc lancé L2Mfix en mode normal :

RAPPORT RUN FIND LOG

L2MFIX find log 1.03b

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\nith.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

**********************************************************************************

useragent:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{24D7C705-FE96-AB7E-E9CB-84EF57B649A2}"=""

**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"

"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage ?cran du Panneau de configuration"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit‚"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'environnement"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets r‚seau de Microsoft Windows"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension ic“ne HyperTerminal"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions r‚seau"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions r‚seau"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Extension feuille de propri‚t‚ de mise … jour automatique"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interpr‚teur de commandes pour l'environnement d'ex‚cution de scripts Windows"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donn‚es Microsoft"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tƒches planifi‚es"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tƒches et menu D‚marrer"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ex‚cuter..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier ‚lectronique"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="?tat du t‚l‚chargement"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau ‚tendu"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment‚"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"

"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet int‚gr‚ de recherche"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="BoŒte d'entr‚e de l'adresse"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalis‚e MRU"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrŠs auto-ouvrante"

"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="ParamŠtres du dossier global"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de d‚marrage de la Suite IE4"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="?num‚rateur d'applications install‚es"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de r‚sum‚ (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit‚ Passport"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chaŒne"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chaŒne"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"

"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"

"{46005977-4E62-454E-BDA6-3C88E7E03858}"=""

**********************************************************************************

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{46005977-4E62-454E-BDA6-3C88E7E03858}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{46005977-4E62-454E-BDA6-3C88E7E03858}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{46005977-4E62-454E-BDA6-3C88E7E03858}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{46005977-4E62-454E-BDA6-3C88E7E03858}\InprocServer32]

@="C:\\WINDOWS\\system32\\ghedit.dll"

"ThreadingModel"="Apartment"

**********************************************************************************

Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\

avferror.dll Mon 15 Aug 2005 14:34:56 ..S.R 417 792 408,00 K

cqmcat.dll Mon 15 Aug 2005 14:28:50 ..S.R 417 792 408,00 K

dmiman32.dll Mon 11 Jul 2005 12:05:34 ..S.R 417 792 408,00 K

dtdim.dll Fri 8 Jul 2005 14:41:48 ..S.R 417 792 408,00 K

dyd8thk.dll Fri 8 Jul 2005 14:41:54 ..S.R 417 792 408,00 K

fulemgmt.dll Wed 13 Jul 2005 10:24:48 ..S.R 417 792 408,00 K

ghedit.dll Mon 15 Aug 2005 15:00:06 ..S.R 417 792 408,00 K

gwfspi~1.dll Wed 3 Aug 2005 10:33:38 A.... 23 304 22,76 K

ifrop.dll Tue 12 Jul 2005 15:00:20 ..S.R 417 792 408,00 K

nith.dll Mon 15 Aug 2005 11:32:38 ..S.R 417 792 408,00 K

npapi32.dll Tue 12 Jul 2005 1:47:06 ..S.R 417 792 408,00 K

ny4_disp.dll Mon 15 Aug 2005 10:27:22 ..S.R 417 792 408,00 K

sqmsg.dll Mon 15 Aug 2005 14:45:40 ..S.R 417 792 408,00 K

vrs_ps.dll Wed 13 Jul 2005 10:11:02 ..S.R 417 792 408,00 K

wbnfax.dll Fri 22 Jul 2005 8:44:00 ..S.R 417 792 408,00 K

whaueng.dll Tue 12 Jul 2005 10:46:30 ..S.R 417 792 408,00 K

wqw32.dll Wed 13 Jul 2005 12:52:52 ..S.R 417 792 408,00 K

17 items found: 17 files (16 H/S), 0 directories.

Total of file sizes: 6 707 976 bytes 6,39 M

Locate .tmp files:

C:\WINDOWS\SYSTEM32\

guard.tmp Tue 12 Jul 2005 9:00:12 ..S.R 417 792 408,00 K

1 item found: 1 file (1 H/S), 0 directories.

Total of file sizes: 417 792 bytes 408,00 K

**********************************************************************************

Directory Listing of system files:

Le volume dans le lecteur C n'a pas de nom.

Le num‚ro de s‚rie du volume est 28BD-E2E4

R‚pertoire de C:\WINDOWS\System32

15/08/2005 15:00 417ÿ792 ghedit.dll

15/08/2005 14:45 417ÿ792 sqmsg.dll

15/08/2005 14:34 417ÿ792 avferror.dll

15/08/2005 14:28 417ÿ792 cqmcat.dll

15/08/2005 11:32 417ÿ792 nith.dll

15/08/2005 10:27 417ÿ792 ny4_disp.dll

13/08/2005 21:01 <REP> dllcache

22/07/2005 08:43 417ÿ792 wbnfax.dll

13/07/2005 12:52 417ÿ792 wqw32.dll

13/07/2005 10:24 417ÿ792 fulemgmt.dll

13/07/2005 10:11 417ÿ792 vrs_ps.dll

12/07/2005 15:00 417ÿ792 ifrop.dll

12/07/2005 10:46 417ÿ792 whaueng.dll

12/07/2005 09:00 417ÿ792 guard.tmp

12/07/2005 01:47 417ÿ792 npapi32.dll

11/07/2005 12:05 417ÿ792 dmiman32.dll

08/07/2005 14:41 417ÿ792 dYd8thk.dll

08/07/2005 14:41 417ÿ792 dTdim.dll

02/03/1999 11:54 <REP> Microsoft

17 fichier(s) 7ÿ102ÿ464 octets

2 R‚p(s) 72ÿ613ÿ986ÿ304 octets libres

RAPPORT RUN FIX

L2Mfix 1.03b

Running From:

C:\Documents and Settings\asco\Bureau\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Utilisateurs

(ID-IO) ALLOW Read BUILTIN\Utilisateurs

(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-NI) ALLOW Full access BUILTIN\Administrateurs

(ID-IO) ALLOW Full access BUILTIN\Administrateurs

(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"

- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(CI) DENY --C------- BUILTIN\Administrateurs

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Utilisateurs

(ID-IO) ALLOW Read BUILTIN\Utilisateurs

(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-NI) ALLOW Full access BUILTIN\Administrateurs

(ID-IO) ALLOW Full access BUILTIN\Administrateurs

(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\asco\Bureau\l2mfix

System Rebooted!

Running From:

C:\Documents and Settings\asco\Bureau\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 1144 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 1848 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Backing Up: C:\WINDOWS\system32\avferror.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\avferror.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\cqmcat.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\cqmcat.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dmiman32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dmiman32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dTdim.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dTdim.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dYd8thk.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dYd8thk.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\fulemgmt.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\fulemgmt.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ghedit.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ghedit.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ifrop.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ifrop.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\nith.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\nith.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\npapi32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\npapi32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ny4_disp.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ny4_disp.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\sqmsg.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\sqmsg.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\vrs_ps.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\vrs_ps.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wbnfax.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wbnfax.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\whaueng.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\whaueng.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wqvdmod.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wqvdmod.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wqw32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wqw32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\guard.tmp

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\guard.tmp

1 fichier(s) copi‚(s).

deleting: C:\WINDOWS\system32\avferror.dll

Successfully Deleted: C:\WINDOWS\system32\avferror.dll

deleting: C:\WINDOWS\system32\avferror.dll

Successfully Deleted: C:\WINDOWS\system32\avferror.dll

deleting: C:\WINDOWS\system32\cqmcat.dll

Successfully Deleted: C:\WINDOWS\system32\cqmcat.dll

deleting: C:\WINDOWS\system32\cqmcat.dll

Successfully Deleted: C:\WINDOWS\system32\cqmcat.dll

deleting: C:\WINDOWS\system32\dmiman32.dll

Successfully Deleted: C:\WINDOWS\system32\dmiman32.dll

deleting: C:\WINDOWS\system32\dmiman32.dll

Successfully Deleted: C:\WINDOWS\system32\dmiman32.dll

deleting: C:\WINDOWS\system32\dTdim.dll

Successfully Deleted: C:\WINDOWS\system32\dTdim.dll

deleting: C:\WINDOWS\system32\dTdim.dll

Successfully Deleted: C:\WINDOWS\system32\dTdim.dll

deleting: C:\WINDOWS\system32\dYd8thk.dll

Successfully Deleted: C:\WINDOWS\system32\dYd8thk.dll

deleting: C:\WINDOWS\system32\dYd8thk.dll

Successfully Deleted: C:\WINDOWS\system32\dYd8thk.dll

deleting: C:\WINDOWS\system32\fulemgmt.dll

Successfully Deleted: C:\WINDOWS\system32\fulemgmt.dll

deleting: C:\WINDOWS\system32\fulemgmt.dll

Successfully Deleted: C:\WINDOWS\system32\fulemgmt.dll

deleting: C:\WINDOWS\system32\ghedit.dll

Successfully Deleted: C:\WINDOWS\system32\ghedit.dll

deleting: C:\WINDOWS\system32\ghedit.dll

Successfully Deleted: C:\WINDOWS\system32\ghedit.dll

deleting: C:\WINDOWS\system32\ifrop.dll

Successfully Deleted: C:\WINDOWS\system32\ifrop.dll

deleting: C:\WINDOWS\system32\ifrop.dll

Successfully Deleted: C:\WINDOWS\system32\ifrop.dll

deleting: C:\WINDOWS\system32\nith.dll

Successfully Deleted: C:\WINDOWS\system32\nith.dll

deleting: C:\WINDOWS\system32\nith.dll

Successfully Deleted: C:\WINDOWS\system32\nith.dll

deleting: C:\WINDOWS\system32\npapi32.dll

Successfully Deleted: C:\WINDOWS\system32\npapi32.dll

deleting: C:\WINDOWS\system32\npapi32.dll

Successfully Deleted: C:\WINDOWS\system32\npapi32.dll

deleting: C:\WINDOWS\system32\ny4_disp.dll

Successfully Deleted: C:\WINDOWS\system32\ny4_disp.dll

deleting: C:\WINDOWS\system32\ny4_disp.dll

Successfully Deleted: C:\WINDOWS\system32\ny4_disp.dll

deleting: C:\WINDOWS\system32\sqmsg.dll

Successfully Deleted: C:\WINDOWS\system32\sqmsg.dll

deleting: C:\WINDOWS\system32\sqmsg.dll

Successfully Deleted: C:\WINDOWS\system32\sqmsg.dll

deleting: C:\WINDOWS\system32\vrs_ps.dll

Successfully Deleted: C:\WINDOWS\system32\vrs_ps.dll

deleting: C:\WINDOWS\system32\vrs_ps.dll

Successfully Deleted: C:\WINDOWS\system32\vrs_ps.dll

deleting: C:\WINDOWS\system32\wbnfax.dll

Successfully Deleted: C:\WINDOWS\system32\wbnfax.dll

deleting: C:\WINDOWS\system32\wbnfax.dll

Successfully Deleted: C:\WINDOWS\system32\wbnfax.dll

deleting: C:\WINDOWS\system32\whaueng.dll

Successfully Deleted: C:\WINDOWS\system32\whaueng.dll

deleting: C:\WINDOWS\system32\whaueng.dll

Successfully Deleted: C:\WINDOWS\system32\whaueng.dll

deleting: C:\WINDOWS\system32\wqvdmod.dll

Successfully Deleted: C:\WINDOWS\system32\wqvdmod.dll

deleting: C:\WINDOWS\system32\wqvdmod.dll

Successfully Deleted: C:\WINDOWS\system32\wqvdmod.dll

deleting: C:\WINDOWS\system32\wqw32.dll

Successfully Deleted: C:\WINDOWS\system32\wqw32.dll

deleting: C:\WINDOWS\system32\wqw32.dll

Successfully Deleted: C:\WINDOWS\system32\wqw32.dll

deleting: C:\WINDOWS\system32\guard.tmp

Successfully Deleted: C:\WINDOWS\system32\guard.tmp

deleting: C:\WINDOWS\system32\guard.tmp

Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:

adding: avferror.dll (164 bytes security) (deflated 48%)

adding: cqmcat.dll (164 bytes security) (deflated 48%)

adding: dmiman32.dll (164 bytes security) (deflated 48%)

adding: dTdim.dll (164 bytes security) (deflated 48%)

adding: dYd8thk.dll (164 bytes security) (deflated 48%)

adding: fulemgmt.dll (164 bytes security) (deflated 48%)

adding: ghedit.dll (164 bytes security) (deflated 48%)

adding: ifrop.dll (164 bytes security) (deflated 48%)

adding: nith.dll (164 bytes security) (deflated 48%)

adding: npapi32.dll (164 bytes security) (deflated 48%)

adding: ny4_disp.dll (164 bytes security) (deflated 48%)

adding: sqmsg.dll (164 bytes security) (deflated 48%)

adding: vrs_ps.dll (164 bytes security) (deflated 48%)

adding: wbnfax.dll (164 bytes security) (deflated 48%)

adding: whaueng.dll (164 bytes security) (deflated 48%)

adding: wqvdmod.dll (164 bytes security) (deflated 48%)

adding: wqw32.dll (164 bytes security) (deflated 48%)

adding: guard.tmp (164 bytes security) (deflated 48%)

adding: clear.reg (164 bytes security) (deflated 22%)

adding: echo.reg (164 bytes security) (deflated 9%)

adding: direct.txt (164 bytes security) (stored 0%)

adding: lo2.txt (164 bytes security) (deflated 88%)

adding: readme.txt (164 bytes security) (deflated 50%)

adding: report.txt (164 bytes security) (deflated 65%)

adding: report1.txt (164 bytes security) (deflated 65%)

adding: test.txt (164 bytes security) (deflated 89%)

adding: test2.txt (164 bytes security) (stored 0%)

adding: test3.txt (164 bytes security) (stored 0%)

adding: test5.txt (164 bytes security) (stored 0%)

adding: xfind.txt (164 bytes security) (deflated 86%)

adding: backregs/46005977-4E62-454E-BDA6-3C88E7E03858.reg (164 bytes security) (deflated 70%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"

Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Utilisateurs

(ID-IO) ALLOW Read BUILTIN\Utilisateurs

(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-NI) ALLOW Full access BUILTIN\Administrateurs

(ID-IO) ALLOW Full access BUILTIN\Administrateurs

(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: avferror.dll

deleting local copy: cqmcat.dll

deleting local copy: dmiman32.dll

deleting local copy: dTdim.dll

deleting local copy: dYd8thk.dll

deleting local copy: fulemgmt.dll

deleting local copy: ghedit.dll

deleting local copy: ifrop.dll

deleting local copy: nith.dll

deleting local copy: npapi32.dll

deleting local copy: ny4_disp.dll

deleting local copy: sqmsg.dll

deleting local copy: vrs_ps.dll

deleting local copy: wbnfax.dll

deleting local copy: whaueng.dll

deleting local copy: wqvdmod.dll

deleting local copy: wqw32.dll

deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

The following are the files found:

****************************************************************************

C:\WINDOWS\system32\avferror.dll

C:\WINDOWS\system32\cqmcat.dll

C:\WINDOWS\system32\dmiman32.dll

C:\WINDOWS\system32\dTdim.dll

C:\WINDOWS\system32\dYd8thk.dll

C:\WINDOWS\system32\fulemgmt.dll

C:\WINDOWS\system32\ghedit.dll

C:\WINDOWS\system32\ifrop.dll

C:\WINDOWS\system32\nith.dll

C:\WINDOWS\system32\npapi32.dll

C:\WINDOWS\system32\ny4_disp.dll

C:\WINDOWS\system32\sqmsg.dll

C:\WINDOWS\system32\vrs_ps.dll

C:\WINDOWS\system32\wbnfax.dll

C:\WINDOWS\system32\whaueng.dll

C:\WINDOWS\system32\wqvdmod.dll

C:\WINDOWS\system32\wqw32.dll

C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{46005977-4E62-454E-BDA6-3C88E7E03858}"=-

[-HKEY_CLASSES_ROOT\CLSID\{46005977-4E62-454E-BDA6-3C88E7E03858}]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

****************************************************************************

Desktop.ini Contents:

****************************************************************************

RAPPORT HJT en mode sans echec :

Logfile of HijackThis v1.99.1

Scan saved at 15:33:05, on 15/08/2005