Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

[résolu]Exmodulah

Blaise

Par Blaise
dans Analyses et éradication malwares

 Partager

Messages recommandés

Blaise Member

Blaise

Posté(e)
Posté(e) (modifié)

bonsoir,

 

j'ai une merde qui réapparait tout le temps sous la forme XXexmodulah.exe (où XX est un chiffre au hazard). Il est caché dans le dossier temp, et réapparait au bout d'un moment a chaque fois que je l'utilise. Je l'ai découvert car a chaque fois il demande un acces au net, donc Kerio le detecte...

J'ai fais Bitdenfender, Antivir en mode sans echec.. mais ils ne trouvent rien et ça revient !

 

Voici un rapport, j'espère que vous pourrez m'aider...

 

Logfile of HijackThis v1.99.1

Scan saved at 17:39:32, on 24/02/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Logitech\Bluetooth\LBTSERV.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

C:\Program Files\Logitech\Easy Synchronization\servicestub.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Softwin\BitDefender8\bdmcon.exe

C:\Program Files\Softwin\BitDefender8\bdnagent.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Logitech\SetPoint\LBTWiz.exe

C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ASUS\Ai Booster\OverClk.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Flash 32\Flash32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\FreeBrowser\FreeBrowser\FreeBrowser.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\WIDCOMM\Logiciel Bluetooth\BTTray.exe

C:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\PyGrenouille\pygrenouille.exe

C:\Program Files\Folding@Home\winFAH.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

G:\Emule\emule.exe

C:\Program Files\SpeedFan\speedfan.exe

C:\PROGRA~1\WIDCOMM\LOGICI~1\BTSTAC~1.EXE

C:\Program Files\Fichiers communs\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\Folding@Home\FahCore_82.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Nono\Bureau\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent

O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O4 - HKLM\..\Run: [Flash32] c:\Program Files\Flash 32\Flash32.exe

O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [FreeBrowser] C:\Program Files\FreeBrowser\FreeBrowser\FreeBrowser.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe

O4 - Startup: Folding@Home 5.03.lnk = ?

O4 - Startup: Raccourci vers emule.exe.lnk = G:\Emule\emule.exe

O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: PyGrenouille.lnk = C:\Program Files\PyGrenouille\pygrenouille.exe

O4 - Global Startup: SATARAID5.lnk = ?

O8 - Extra context menu item: &Traduire à partir de l'anglais - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Télécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Recherche &Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Tout t&élécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddList.html

O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130345016717

O17 - HKLM\System\CCS\Services\Tcpip\..\{9FAB7E0F-5DA5-45E4-91DD-39FE3A806B0A}: NameServer = 212.27.32.176,212.27.32.177

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: LBTWlgn - c:\program files\fichiers communs\logitech\bluetooth\LBTWlgn.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe

O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Fichiers communs\Logitech\Bluetooth\LBTSERV.EXE

O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

 

Modifié par Blaise

regis56 Godlike Member

regis56

Posté(e)
Posté(e) (modifié)

Bonjour Blaise et bienvenu sur le forum zéb-sécu !

 

Avant tout attend une réponse d'un conseiller en sécurité pour ton rapport !

 

Utiliser la fonction rechercher via "démarrer/rechercher/des fichiers ou des dossiers"

 

Rechercher :

exmodulah.exe

 

Poste nous dans ta prochaine réponse le chemin indiqué pour ton fichier!

 

(ex: C:\WINDOWS\système32\exmodulah.exe C:\WINDOWS\système32\ :représente le chemin :P )

 

A plus !

Modifié par regis56
regis56 Godlike Member

regis56

Posté(e)
Posté(e) (modifié)

Re

 

-Télécharger et installer EasyCleaner de Toni Helenius : (Programme faisant parti de la catégorie des nettoyeurs)

http://personal.inet.fi/business/toniarts/ecleane.htm

 

-Télécharger Ewido: (Programme faisant parti des antymalwares)

http://www.ewido.net/fr/download/

 

Installer et mettre à jour.

 

Important: Pendant l'installation, sur la page "Additional Options" décocher les deux options "Install background guard" et "Install scan via context menu".

 

Démarrer Ewido avec l'icône qui se trouve sur le Bureau. Cliquer sur mise à jour, attendre la fin de cette mise à jour puis, fermer le programme.

 

Redémarrer en mode sans échec :

(En mode sans échec : seul les processus systèmes sont lancés il est donc plus facile de supprimer ce qui est infecté.)

 

Au redémarrage de l'ordinateur, une fois le chargement du BIOS terminé,

il y a un écran noir qui apparaît rapidement, appuyer sur la touche [F8] ou [F5]

jusqu’à l'affichage du menu des options avancées de Windows. Sélectionner "Mode sans échec"

et appuyer sur [Entrée].

 

lancer Ewido et cliquer sur scanner puis sur scan complet du système.

 

Si des fichiers infectés sont trouvés, garder l'option par défaut Supprimer (avec la ligne "Créer des copies de sauvegarde cryptées dans la quarantaine" cochée), et cocher "Effectuer cette action avec toutes les infections".

 

A la fin du scan, sauvegarder le rapport (Fichier/Enregistrer sous...) sur le Bureau.

 

12/ Exécuter EasyCleaner (Utiliser le raccourci sur le bureau):

(Utilitaire qui va supprimer les dossiers temporaires/inutiles et nettoyer la base de registre)

 

-Utiliser les fonctions "Inutiles" et "Registre" seulement. Ne pas toucher à la fonction "doublons".

 

Redémarrer en mode normal.

 

-Poster le rapport Ewido

-Indiquer si le Pc présente encore des dysfonctionnements

 

Bon courage a plus !

Modifié par regis56
tornado Full Patch Member

tornado

Posté(e)
Posté(e) (modifié)

Salut blaise, regis56,

 

J'ajouterais quelques remarques, en plus de tout ce que tu as dit régis...

 

 

G:\Emule\emule.exe

O4 - Startup: Raccourci vers emule.exe.lnk = G:\Emule\emule.exe

O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe

 

 

:P L'utilisation de logiciels de p2p est une source d'infections, et peut avoir de lourdes conséquences sur ton système. Lis cet article de Tesgaz pour t'en rendre compte ---> http://forum.zebulon.fr/index.php?showtopic=85544

 

Par ailleurs, c'est contraire à la charte du forum.

 

 

Pour éviter toute infection future, désinstalle les programmes suivants via "ajouter/supprimer des programmes"

 

- Emule

- bittorent

 

Puis supprime les dossiers en gras:

 

- C:\Program files\emule

- C:\Program files\bittorent

 

 

Bon sinon, je vois que tu as 2 antivirus... mais cela provoque des conflits et ralentit ton système.

Désinstalle donc soit AVG soit Bitdefender. Je te conseille de garder Bitdefender, car AVG n'est réputé pas très efficace...

Modifié par tornado
Blaise Member

Blaise

Posté(e)
  • Auteur
Posté(e) (modifié)

Bon...

 

Ewido m'a trouvé que des tracking cookies... Mais la bestiole est toujours là...

Easycleaner ne veut meme pas démaré... J'ai l'impression que mon système en a pris un coup dans l'aile...

 

Il est vrai que le P2P c'est pas le top, mais on ne trouve pas que des trucs illicites dessus...

Mais il est vrai aussi que c'est a cause de lui aussi que j'ai cette merde, car je pense que c'est quand j'ai ouvert un truc avec un faux nom (j'adore les gens qui renoment les fichers sur la mule...) que je l'ai contracté.

Mais bon, si le mot p2p vous donne des soucis, virer ce post, je vous comprendrais...

 

Ce qui est bizarre, c'est que exmodulah, je le trouve nulle part sur le net... google m'envoie chier...

Quelqu'un connait ce truc ?

 

Bref, ça sens le formatage... (j'en ai marre d'appeller crosoft parce qu'ils veulent plus me filler l'activation par le net...)

 

Une dernière chose, je me demendais qu'elle été le mieux ? AVG ou Antivir, mais je pense avoir trouvé la réponse... Ensuite, bitdenfender, étant donné qu'il faut payé pour avoir une protection permenante, est-ce bien de le conservé en parrallèle avec antivir pour un scan périodique, où ça sert a rien car antivir est aussi puissant ?

 

Merci de vos conseils !

Je suis toujours preneur de quoi que ce soit...

 

PS : désolé pour mon langage familier...

Modifié par Blaise
regis56 Godlike Member

regis56

Posté(e)
Posté(e)

Re

 

Ton système est infecté je te le confirme !

 

Ne formate pas tout de suite il y a des solutions avant !!

 

Par contre il est important de suivre les conseils!

 

1/Désinstalle les logiciels de p2p

 

2/Si easycleaner ne fonctionne pas essaye Ccleaner que tu trouvera ici

 

3/Attend la procédure d'un conseiller en sécurité

 

A plus !

bruce lee Devil Member !

bruce lee

Posté(e)
Posté(e)

bonsoir blaise, regis56 tornado, bonsoir à tous et à toutes

 

on va verifier si c'est une bestiole qui se lance en silence.

 

1/telecharge silent runners http://www.silentrunners.org/Silent%20Runners.vbs

 

2/déconnecte toi du net et ferme toutes les applications en cours.

 

3/lance silent runners laisse le travailler quand il aura finit de scanner tu en sauras averti par un message et un nouveau fichier texte sera crée ouvre ce fichier texte et colle nous la totalité du rapport.

Blaise Member

Blaise

Posté(e)
  • Auteur
Posté(e)
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

"FreeBrowser" = "C:\Program Files\FreeBrowser\FreeBrowser\FreeBrowser.exe" ["nabocorp. softwares"]

"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"BDMCon" = ""C:\Program Files\Softwin\BitDefender8\bdmcon.exe"" ["SOFTWIN S.R.L."]

"BDNewsAgent" = ""C:\Program Files\Softwin\BitDefender8\bdnagent.exe"" [null data]

"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]

"Logitech BT Wizard" = "LBTWiz.exe -silent" ["Logitech Inc."]

"Easy Synchronization" = "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [null data]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"Launch Ai Booster" = ""C:\Program Files\ASUS\Ai Booster\OverClk.exe"" [null data]

"CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]

"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]

".nvsvc" = "C:\WINDOWS\system\smss.exe /w" [null data]

"Flash32" = "c:\Program Files\Flash 32\Flash32.exe" ["Jean Piquemal"]

"avgnt" = ""C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["H+BEDV Datentechnik GmbH"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"Easy Synchronization" = "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports" [null data]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

{C56CB6B0-0D96-11D6-8C65-B2868B609932}\(Default) = "NTIECatcher Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll" ["Xi"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{FE24CD78-7C63-465D-8787-4EDF7FC79895}" = "ShellExecuteHook class"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll" [null data]

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! LBTWlgn\DLLName = "c:\program files\fichiers communs\logitech\bluetooth\LBTWlgn.dll" ["Logitech Inc."]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Nono\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

DESKTOP.INI DLL launch in local fixed drive directories:

--------------------------------------------------------

 

WARNING! E: is an unreadable partition!

 

 

Startup items in "Nono" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\Nono\Menu Démarrer\Programmes\Démarrage

"Folding@Home 5.03" -> shortcut to: "C:\Program Files\Folding@Home\winFAH.exe" ["Stanford University"]

"SpeedFan" -> shortcut to: "C:\Program Files\SpeedFan\speedfan.exe" ["Almico Software (www.almico.com)"]

 

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage

"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Logiciel Bluetooth\BTTray.exe" ["Broadcom Corporation."]

"Lancement rapide d'Adobe Reader" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Loadout Manager" -> shortcut to: "C:\Program Files\Belkin\Nostromo\nost_LM.exe -startup" [empty string]

"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]

"PyGrenouille" -> shortcut to: "C:\Program Files\PyGrenouille\pygrenouille.exe" [null data]

"SATARAID5" -> shortcut to: "C:\Program Files\Silicon Image\3114 SATARAID5\sam.jar" [null data]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

 

Explorer Bars

 

Dormant Explorer Bars in "View, Explorer Bar" menu

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Rechercher"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Console Java (Sun)"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

 

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

"ButtonText" = "Créer un Favori de l'appareil mobile"

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INetRepl.dll" [MS]

 

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

"MenuText" = "Créer un Favori de l'appareil mobile..."

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INetRepl.dll" [MS]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Recherche"

 

{CCA281CA-C863-46EF-9331-5C8D4460577F}\

"ButtonText" = "@btrez.dll,-4015"

"MenuText" = "@btrez.dll,-12650"

"Script" = "C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie.htm" [null data]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe" ["H+BEDV Datentechnik GmbH"]

AntiVir Scheduler, AntiVirScheduler, "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" ["H+BEDV Datentechnik GmbH"]

BitDefender Communicator, XCOMM, ""C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]

BitDefender Scan Server, bdss, ""C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]

Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe" ["Broadcom Corporation."]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]

Kerio Personal Firewall 4, KPF4, "C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe" ["Kerio Technologies"]

Logitech Bluetooth Service, LBTServ, "C:\Program Files\Fichiers communs\Logitech\Bluetooth\LBTSERV.EXE" ["Logitech Inc."]

Logitech Easy Synchronization, Logitech Easy Synchronization, "C:\Program Files\Logitech\Easy Synchronization\servicestub.exe" [null data]

Machine Debug Manager, MDM, ""C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor PIXMA iP3000\Driver = "CNMLM61.DLL" ["CANON INC."]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Port imprimante Bluetooth\Driver = "bthcrp.dll" ["Broadcom Corporation."]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 63 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 8 seconds.

---------- (total run time: 97 seconds)

 

voilou...

Blaise Member

Blaise

Posté(e)
  • Auteur
Posté(e) (modifié)

Désolé pour le double post...

 

Mais là exmodulah vient de demander une connexion au net...

 

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

"FreeBrowser" = "C:\Program Files\FreeBrowser\FreeBrowser\FreeBrowser.exe" ["nabocorp. softwares"]

"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"BDMCon" = ""C:\Program Files\Softwin\BitDefender8\bdmcon.exe"" ["SOFTWIN S.R.L."]

"BDNewsAgent" = ""C:\Program Files\Softwin\BitDefender8\bdnagent.exe"" [null data]

"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]

"Logitech BT Wizard" = "LBTWiz.exe -silent" ["Logitech Inc."]

"Easy Synchronization" = "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [null data]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"Launch Ai Booster" = ""C:\Program Files\ASUS\Ai Booster\OverClk.exe"" [null data]

"CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]

"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]

".nvsvc" = "C:\WINDOWS\system\smss.exe /w" [null data]

"Flash32" = "c:\Program Files\Flash 32\Flash32.exe" ["Jean Piquemal"]

"avgnt" = ""C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["H+BEDV Datentechnik GmbH"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"Easy Synchronization" = "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports" [null data]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

{C56CB6B0-0D96-11D6-8C65-B2868B609932}\(Default) = "NTIECatcher Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll" ["Xi"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{FE24CD78-7C63-465D-8787-4EDF7FC79895}" = "ShellExecuteHook class"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll" [null data]

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! LBTWlgn\DLLName = "c:\program files\fichiers communs\logitech\bluetooth\LBTWlgn.dll" ["Logitech Inc."]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Nono\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "Nono" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\Nono\Menu Démarrer\Programmes\Démarrage

"Folding@Home 5.03" -> shortcut to: "C:\Program Files\Folding@Home\winFAH.exe" ["Stanford University"]

"SpeedFan" -> shortcut to: "C:\Program Files\SpeedFan\speedfan.exe" ["Almico Software (www.almico.com)"]

 

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage

"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Logiciel Bluetooth\BTTray.exe" ["Broadcom Corporation."]

"Lancement rapide d'Adobe Reader" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Loadout Manager" -> shortcut to: "C:\Program Files\Belkin\Nostromo\nost_LM.exe -startup" [empty string]

"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]

"PyGrenouille" -> shortcut to: "C:\Program Files\PyGrenouille\pygrenouille.exe" [null data]

"SATARAID5" -> shortcut to: "C:\Program Files\Silicon Image\3114 SATARAID5\sam.jar" [null data]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Console Java (Sun)"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

 

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

"ButtonText" = "Créer un Favori de l'appareil mobile"

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INetRepl.dll" [MS]

 

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

"MenuText" = "Créer un Favori de l'appareil mobile..."

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INetRepl.dll" [MS]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Recherche"

 

{CCA281CA-C863-46EF-9331-5C8D4460577F}\

"ButtonText" = "@btrez.dll,-4015"

"MenuText" = "@btrez.dll,-12650"

"Script" = "C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie.htm" [null data]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe" ["H+BEDV Datentechnik GmbH"]

AntiVir Scheduler, AntiVirScheduler, "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" ["H+BEDV Datentechnik GmbH"]

BitDefender Communicator, XCOMM, ""C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]

BitDefender Scan Server, bdss, ""C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]

Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe" ["Broadcom Corporation."]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]

Kerio Personal Firewall 4, KPF4, "C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe" ["Kerio Technologies"]

Logitech Bluetooth Service, LBTServ, "C:\Program Files\Fichiers communs\Logitech\Bluetooth\LBTSERV.EXE" ["Logitech Inc."]

Logitech Easy Synchronization, Logitech Easy Synchronization, "C:\Program Files\Logitech\Easy Synchronization\servicestub.exe" [null data]

Machine Debug Manager, MDM, ""C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor PIXMA iP3000\Driver = "CNMLM61.DLL" ["CANON INC."]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Port imprimante Bluetooth\Driver = "bthcrp.dll" ["Broadcom Corporation."]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 18 seconds, including 6 seconds for message boxes)

Modifié par Blaise

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...