Bonjour, voila plusieurs jours que je cherche des solutions pour eradiquer ce trojan. mon antivirus kaspersky l a bien detecté mais impossible de reparer. je lance Spybot et j ai beau corriger les erreurs, ils sont toujours la ! je lance ccleaner, apres correction, toujours la ! voici la description du trojan : trojan-Downloader.Win32.Small.jhl c:\Program Files\Spoolsvt.exe j ai beau essayer de trouver ce fichier pour le supprimer mais inexistant ! je travaille sous xp sp 3 alors je m adresse aux professionnels, pour m aider a trouver une solution pour eradiquer ce cheval de troie ! j ai deja du desinstaller modzilla a cause de lui et le réinstaller apres pour que je puisse surfer ! mais que va t il m arriver ensuite ?

kaspersky vient de me trouver le trojan mais j ai reussi a le supprimer, enfin pour le moment ca passe ! supprimé : cheval de Troie Trojan-Downloader.Win32.Small.jhl Le fichier: C:\Qoobox\Quarantine\C\Program Files\spoolsvt.exe.vir supprimé : cheval de Troie Trojan-Downloader.Win32.Small.jhl Le fichier: C:\System Volume Information\_restore{54D8DA60-6A4A-42A7-A8E5-96FEC1364212}\RP1\A0000097.exe supprimé : cheval de Troie Trojan-Downloader.Win32.Small.jhl Le fichier: C:\System Volume Information\_restore{54D8DA60-6A4A-42A7-A8E5-96FEC1364212}\RP2\A0001173.exe

Un trojan résistant, Win32.Small.jhl

Réponse 41 / 89

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
16 mars 2009 à 23:59

oui

Réponse 42 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
17 mars 2009 à 21:16

bonsoir,
alors j ai refait ce soir en mode sans echec et il a trouvé 1 erreur :
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Printspooler (Trojan.Agent) -> No action taken.
je l ai supprimé et refait un scan et puis il a rien trouvé !
je me remets en normal et lance ccleaner et bien sur l erreur reapparait et j ai beau la corrigé, apres chaque scan elle revient ! zut, je pensais bien que c etait bon cette fois ci !
je crois vraiment que pour l eradiquer, je vais en arriver a faire un format C !!
et pourtant je ne le souhaite pas mais vraiment pas du tout !
a+

Réponse 43 / 89

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
17 mars 2009 à 21:49

Re
Si cette ligne arrive à disparaitre puis réapparait c'est surement qu'un autre logiciel la remet dans la BDR !

KASPERSKY
analyse en ligne sur kaspersky et colle un rapport
https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr

A+

Réponse 44 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
17 mars 2009 à 21:52

mais kaspersky est deja mon antivirus

Réponse 45 / 89

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
17 mars 2009 à 22:07

OK

Télécharges SilentRunners
et postes le rapport !
A+

Réponse 46 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
17 mars 2009 à 23:01

j ai eu du mal mais je crois que c est ca que tu attends :

"Silent Runners.vbs", revision 59, https://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Fichiers communs\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NVRaidService" = "C:\WINDOWS\system32\nvraidservice.exe" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"CARPService" = "carpserv.exe" ["Conexant Systems, Inc."]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1036" ["DT Soft Ltd."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NBKeyScan" = ""C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"" ["Nero AG"]
"NeroFilterCheck" = "C:\Program Files\Fichiers communs\Nero\Lib\NeroCheck.exe" ["Nero AG"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"" ["Kaspersky Lab"]
"Printspooler" = "C:\Program Files\spooler.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Aide pour le lien d'Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Programme d'aide de l'Assistant de connexion Windows Live"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mes dossiers de partage"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B28C18DB-6816-4F31-9630-397683E3C2C3}" = "Filzip Shell Extension"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statistiques d’Anti-Virus Internet"
-> {HKLM...CLSID} = "Statistiques d’Anti-Virus Internet"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar"
-> {HKCU...CLSID} = "Barre de recherche Windows Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
-> {HKLM...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
Filzip\(Default) = "{B28C18DB-6816-4F31-9630-397683E3C2C3}"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]
IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
-> {HKLM...CLSID} = "IMMenuShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\IncrediMail\bin\ImShExtU.dll" ["IncrediMail, Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Filzip\(Default) = "{B28C18DB-6816-4F31-9630-397683E3C2C3}"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Default executables:
--------------------

<<!>> HKCU\Software\Classes\.com\(Default) = "ComFile"

<<!>> HKCU\Software\Classes\.exe\(Default) = "exefile"

<<!>> HKCU\Software\Classes\.hta\(Default) = "htafile"

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter\

"Enabled" = (REG_DWORD) dword:0x00000000
{Turn off Managing Phishing filter}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions\

"NoPopupManagement" = (REG_DWORD) dword:0x00000001
{Turn off pop-up management}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\PAPA\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSPictureIt10ViewOnArrival\
"Provider" = "Assistant Importation d'images numériques Microsoft"
"InvokeProgID" = "Microsoft.Picture.It.10.AutoPlay"
"InvokeVerb" = "AutoPlay"
HKLM\SOFTWARE\Classes\Microsoft.Picture.It.10.AutoPlay\shell\AutoPlay\Command\(Default) = "C:\Program Files\Picture It! Premium 10\imprtwiz.exe /invoke={D0551EC1-5A78-11cf-9DBE-00AA00A70BB5}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay8AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

NeroAutoPlay8CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

NeroAutoPlay8DataDisc_CD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

NeroAutoPlay8DataDisc_DVD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

NeroAutoPlay8LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

NeroAutoPlay8PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

PCLEVideoCameraArrival\
"Provider" = "Pinnacle Studio"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Pinnacle\Studio 9\programs\studio.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

Startup items in "PAPA" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Windows Defender" -> shortcut to: "C:\Program Files\Windows Defender\MSASCui.exe" [MS]

Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"Vérifier les mises à jour de Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statistiques d’Anti-Virus Internet"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Rechercher"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statistiques d’Anti-Virus Internet"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AshampooDefragService, AshampooDefragService, "C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe" [" "]
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"]
Carte de performance WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Kaspersky Internet Security 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r" ["Kaspersky Lab"]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
NMIndexingService, NMIndexingService, ""C:\Program Files\Fichiers communs\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Service Partage réseau du Lecteur Windows Media, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows Search, WSearch, "C:\WINDOWS\system32\SearchIndexer.exe /Embedding" [MS]

---------- (launch time: 2009-03-17 22:59:15)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 33 seconds, including 5 seconds for message boxes)

Réponse 47 / 89

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
17 mars 2009 à 23:38

Re

On retrouve bien "Printspooler" = "C:\Program Files\spooler.exe" [file not found]
mais comme le fichier a été supprimé il n'est pas exécuté !
Le problème c'est de ne pas pouvoir supprimer cette ... de ligne !
Relance Silentrunners et réponds non à la première question (le scan prendra beaucoup plus de temps !)
Et postes le rapport demain ...
A+

Réponse 48 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
19 mars 2009 à 09:53

"Silent Runners.vbs", revision 59, https://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Fichiers communs\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NVRaidService" = "C:\WINDOWS\system32\nvraidservice.exe" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"CARPService" = "carpserv.exe" ["Conexant Systems, Inc."]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1036" ["DT Soft Ltd."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NBKeyScan" = ""C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"" ["Nero AG"]
"NeroFilterCheck" = "C:\Program Files\Fichiers communs\Nero\Lib\NeroCheck.exe" ["Nero AG"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"" ["Kaspersky Lab"]
"Printspooler" = "C:\Program Files\spooler.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Aide pour le lien d'Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Programme d'aide de l'Assistant de connexion Windows Live"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mes dossiers de partage"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B28C18DB-6816-4F31-9630-397683E3C2C3}" = "Filzip Shell Extension"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statistiques d’Anti-Virus Internet"
-> {HKLM...CLSID} = "Statistiques d’Anti-Virus Internet"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar"
-> {HKCU...CLSID} = "Barre de recherche Windows Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
-> {HKLM...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
Filzip\(Default) = "{B28C18DB-6816-4F31-9630-397683E3C2C3}"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]
IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
-> {HKLM...CLSID} = "IMMenuShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\IncrediMail\bin\ImShExtU.dll" ["IncrediMail, Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Filzip\(Default) = "{B28C18DB-6816-4F31-9630-397683E3C2C3}"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Default executables:
--------------------

<<!>> HKCU\Software\Classes\.com\(Default) = "ComFile"

<<!>> HKCU\Software\Classes\.exe\(Default) = "exefile"

<<!>> HKCU\Software\Classes\.hta\(Default) = "htafile"

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter\

"Enabled" = (REG_DWORD) dword:0x00000000
{Turn off Managing Phishing filter}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions\

"NoPopupManagement" = (REG_DWORD) dword:0x00000001
{Turn off pop-up management}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\PAPA\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSPictureIt10ViewOnArrival\
"Provider" = "Assistant Importation d'images numériques Microsoft"
"InvokeProgID" = "Microsoft.Picture.It.10.AutoPlay"
"InvokeVerb" = "AutoPlay"
HKLM\SOFTWARE\Classes\Microsoft.Picture.It.10.AutoPlay\shell\AutoPlay\Command\(Default) = "C:\Program Files\Picture It! Premium 10\imprtwiz.exe /invoke={D0551EC1-5A78-11cf-9DBE-00AA00A70BB5}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay8AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

NeroAutoPlay8CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

NeroAutoPlay8DataDisc_CD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

NeroAutoPlay8DataDisc_DVD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

NeroAutoPlay8LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

NeroAutoPlay8PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

PCLEVideoCameraArrival\
"Provider" = "Pinnacle Studio"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Pinnacle\Studio 9\programs\studio.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

Startup items in "PAPA" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Windows Defender" -> shortcut to: "C:\Program Files\Windows Defender\MSASCui.exe" [MS]

Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"Vérifier les mises à jour de Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statistiques d’Anti-Virus Internet"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Rechercher"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statistiques d’Anti-Virus Internet"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AshampooDefragService, AshampooDefragService, "C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe" [" "]
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"]
Carte de performance WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Kaspersky Internet Security 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r" ["Kaspersky Lab"]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
NMIndexingService, NMIndexingService, ""C:\Program Files\Fichiers communs\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Service Partage réseau du Lecteur Windows Media, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows Search, WSearch, "C:\WINDOWS\system32\SearchIndexer.exe /Embedding" [MS]

---------- (launch time: 2009-03-19 09:51:33)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 35 seconds.
---------- (total run time: 68 seconds)

Réponse 49 / 89

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
19 mars 2009 à 20:43

Re

Ce n'est pas celui que j'attendais ... mais c'est surement moi qui t'ai donné de mauvaises instructions.

Peux tu ouvrir la base de registre ?
Démarrer --> Exécuter
Tapes REGEDIT et valides
(Attention ne supprimes rien d'autre que le ligne qui nous interesse !)

Recherche ceci (dans la partie de gauche, c'est comme l'explorateur ! )
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Dans la partie de droite tu devrais voir ceci

Nom...............................Type................................ Données

Printspooler ................ REG_SZ ........................C:\Program Files\spooler.exe

+ d'autres logiciels lancés au démarrage du système !

Sélectionnes PrintSpooler et fais un clic droit :
Tu devrais voir apparaitre un menu avec :
Modifier
Modifier sources de données
Supprimer
Renommer

Sélectionnes Supprimer et valides !

Attends un peu et tapes F5 pour faire une mise à jour !
J'espère que cette fois elle va disparaitre !

Si tu n'est pas sûr de ce que tu fais demandes moi avant de le faire.

A+

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
19 mars 2009 à 22:58

j ai eu du mal a trouvé car en faite la racine n est pas hklm, mais HKEY_CURRENT_USER et ensuite j ai suivi le chemin SOFTWARE\Microsoft\Windows\CurrentVersion\Run .
par contre a droite il n y a pas :
Printspooler ................ REG_SZ ........................C:\Program Files\spooler.exe

c est un premier resultat, je continu mes recherches sur une autre racine peut etre !

Réponse 50 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
19 mars 2009 à 23:04

alors je l ai trouvé sous la racine :
HKEY_LOCAL_MACHINE
je le supprime comme tu dis ensuite quand je fais F5 il reapparait !!!!

j ai supprimer autre chose pour voir (qui etait sans interet) et ensuite en faisant F5
celui la ne reapparait pas !

Réponse 51 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
22 mars 2009 à 22:51

est ce que j aurais epuisé toutes tes soluces ????
il est coriace hein, j ai bien choisi le titre !!!

Réponse 52 / 89

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
22 mars 2009 à 23:34

Re
Coriace (même s'il n'est plus là !)

Télécharge combofix sur ton Bureau (a moins que tu ne l'ai gardé)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
IMPORTANT

désactive ton antivirus, durant l'utilisation de ComboFix . Merci. Tu réactives ensuite
puis

Double clique combofix.exe.
Tape sur la touche Y (Yes) pour démarrer le scan.
Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse
NOTE : Le rapport se trouve également ici : C:\Combofix.txt

A demain

Réponse 53 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
27 mars 2009 à 19:24

ComboFix 09-03-26.03 - PAPA 2009-03-27 18:51:51.3 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.1023.430 [GMT 1:00]
Lancé depuis: c:\telechargement\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AVSredirect.dll
.
---- Exécution préalable -------
.
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-02-27 au 2009-03-27 ))))))))))))))))))))))))))))))))))))
.

2009-03-16 22:05 . 2009-03-16 22:05 <REP> d-------- c:\documents and settings\PAPA\Application Data\Malwarebytes
2009-03-16 22:04 . 2009-03-16 22:05 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 22:04 . 2009-03-16 22:04 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-16 22:04 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 22:04 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-16 17:22 . 2009-03-23 18:29 52 --a------ c:\windows\TEST.Scr
2009-03-16 17:17 . 2009-03-23 18:29 54 --a------ c:\windows\TEST.Cod
2009-03-15 14:30 . 2009-03-15 14:30 <REP> d-------- c:\program files\eRightSoft
2009-03-12 00:30 . 2009-03-12 00:30 579,584 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-12 00:28 . 2009-03-12 00:28 <REP> d-------- c:\windows\ERUNT
2009-03-12 00:17 . 2008-11-06 02:03 <REP> d-------- C:\SDFix
2009-03-11 22:49 . 2009-03-11 22:49 328 --a------ C:\SupSp.bat
2009-03-11 20:56 . 2009-03-22 23:33 <REP> d-------- c:\documents and settings\PAPA\Application Data\Skype
2009-03-11 20:55 . 2009-03-11 20:56 <REP> d-------- c:\program files\Skype
2009-03-11 20:55 . 2009-03-11 20:55 <REP> d-------- c:\program files\Fichiers communs\Skype
2009-03-11 20:45 . 2009-03-11 20:45 <REP> d-------- c:\program files\Trend Micro
2009-03-07 11:40 . 2009-03-15 22:23 <REP> d-------- c:\program files\AviSynth 2.5
2009-03-07 11:40 . 2006-10-07 17:43 502,784 --a------ c:\windows\x2.64.exe
2009-03-07 11:40 . 2007-05-14 15:24 394,240 --a------ c:\windows\system32\Smab.dll
2009-03-07 11:40 . 2005-02-28 13:16 240,128 --a------ c:\windows\system32\x.264.exe
2009-03-07 11:40 . 2006-04-12 09:47 217,073 --a------ c:\windows\meta4.exe
2009-03-07 11:40 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\yv12vfw.dll
2009-03-07 11:40 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\i420vfw.dll
2009-03-07 11:40 . 2006-04-05 08:09 66,560 --a------ c:\windows\MOTA113.exe
2009-03-07 11:36 . 2005-02-13 00:00 186,880 -r-hs---- c:\windows\system32\RLOgg.ax
2009-03-07 11:36 . 2005-02-06 00:00 92,672 -r-hs---- c:\windows\system32\RLVorbisDec.ax
2009-03-07 11:36 . 2005-02-13 00:00 67,584 -r-hs---- c:\windows\system32\RLTheoraDec.ax
2009-03-07 11:36 . 2005-02-13 00:00 51,712 -r-hs---- c:\windows\system32\RLSpeexDec.ax
2009-03-07 11:35 . 2005-01-18 00:26 179,200 -r-hs---- c:\windows\system32\DiracSplitter.ax
2009-03-07 11:35 . 2006-08-16 15:53 175,104 -r-hs---- c:\windows\system32\CoreAAC.ax
2009-03-07 11:35 . 2005-02-22 17:55 81,920 -r-hs---- c:\windows\system32\aac_parser.ax
2009-02-27 19:49 . 2009-03-11 17:53 4,396 --a------ c:\windows\ad1.htm

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 17:55 4,031,264 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-27 17:55 138,668,576 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-27 17:40 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-27 17:36 378,668 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-27 17:36 1,857,212 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-27 17:14 1,346 ----a-w c:\documents and settings\PAPA\Application Data\wklnhst.dat
2009-03-27 14:52 --------- d-----w c:\program files\eMule
2009-03-22 20:33 --------- d-----w c:\documents and settings\PAPA\Application Data\skypePM
2009-03-15 18:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 22:31 --------- d-----w c:\program files\Cuisine Astuce
2009-03-11 21:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-11 19:56 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-11 19:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-07 10:01 --------- d-----w c:\documents and settings\PAPA\Application Data\U3
2009-02-25 14:47 --------- d-----w c:\program files\McDonaldsDragons
2009-02-22 13:11 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 08:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-20 22:18 --------- d-----w c:\documents and settings\PAPA\Application Data\Gaijin Ent
2009-02-20 22:08 --------- d-----w c:\documents and settings\PAPA\Application Data\VeniceMysteryData
2009-02-20 21:49 --------- d-----w c:\program files\ReflexiveArcade
2009-02-09 16:21 --------- d-----w c:\program files\Activision Value
2009-02-09 14:05 1,846,912 ----a-w c:\windows\system32\win32k.sys
2009-02-04 08:53 --------- d-----w c:\program files\IncrediMail
2009-02-03 19:25 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-03 19:25 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-01-28 11:21 16,474 -c--a-w c:\program files\players.cfge
2009-01-28 11:19 0 -c--a-w c:\program files\existcheck
2009-01-28 10:37 --------- d-----w c:\documents and settings\PAPA\Application Data\iWin
2008-05-02 12:54 49 -c--a-w c:\program files\game.cfg
2008-04-25 19:43 1,018 -c--a-w c:\program files\scores.cfge
2007-08-28 22:27 1,277,952 ----a-w c:\program files\JQSolitaire2.exe
2007-08-28 18:23 285,478 -c--a-w c:\program files\icon.ico
2007-08-28 18:16 73,728 -c--a-w c:\program files\zlib1.dll
2007-08-28 18:16 626,688 -c--a-w c:\program files\msvcr80.dll
2007-08-28 18:16 606,297 -c--a-w c:\program files\SDL.dll
2007-08-28 18:16 548,864 -c--a-w c:\program files\msvcp80.dll
2007-08-28 18:16 479,232 -c--a-w c:\program files\msvcm80.dll
2007-08-28 18:16 40,960 -c--a-w c:\program files\SDL_image.dll
2007-08-28 18:16 274,432 ----a-w c:\program files\SDL_mixer.dll
2007-08-28 18:16 19,296 -c--a-w c:\program files\readme.rtf
2007-08-28 18:16 180,224 ----a-w c:\program files\SDL_ttf.dll
2007-08-28 18:16 114,688 ----a-w c:\program files\libpng13.dll
2007-08-28 18:16 1,869 -c--a-w c:\program files\Microsoft.VC80.CRT.manifest
2007-08-28 18:16 1,052,672 -c--a-w c:\program files\iWin_GDF.dll
2007-08-28 18:15 1,781,760 -c--a-w c:\program files\framework.dll
2007-01-25 20:46 69,208 -c--a-w c:\documents and settings\PAPA\Application Data\GDIPFONTCACHEV1.DAT
2005-09-16 12:41 571,868 -c--a-w c:\program files\ProcessExplorerNt.zip
2005-08-22 11:33 68,918 -c--a-w c:\program files\procexp.chm
2005-08-22 11:29 1,238,544 -c--a-w c:\program files\procexp.exe
2004-01-05 08:12 1,293 -c--a-w c:\program files\README.TXT
2003-01-13 09:55 282,624 -c--a-w c:\program files\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 -c--a-w c:\program files\internet explorer\plugins\UPjpeg.dll
2008-02-24 09:47 8,192 -csha-w c:\windows\o2cLicStore.bin
2008-05-15 20:52 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008051520080516\index.dat
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-12-07 84480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-15 5513216]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NeroFilterCheck"="c:\program files\Fichiers communs\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-12-15 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"nwiz"="nwiz.exe" [2004-12-15 c:\windows\system32\nwiz.exe]
"CARPService"="carpserv.exe" [2003-03-19 c:\windows\system32\carpserv.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Windows Defender.lnk - c:\program files\Windows Defender\MSASCui.exe [2006-11-03 866584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Ashampoo Magic Defrag.lnk]
backup=c:\windows\pss\Ashampoo Magic Defrag.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^PAPA^Menu Démarrer^Programmes^Démarrage^TribalWeb.net.lnk]
path=c:\documents and settings\PAPA\Menu Démarrer\Programmes\Démarrage\TribalWeb.net.lnk
backup=c:\windows\pss\TribalWeb.net.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2009-01-27 13:10 251264 c:\program files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
-----c--- 2005-10-11 17:25 1961984 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroNETTrayIcon]
-----c--- 2003-02-18 17:00 212992 c:\program files\Ahead\NeroNET\nnservicectrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"c:\program files\Neuf\Media Center\httpd\httpd.exe"= c:\program files\Neuf\Media Center\httpd\httpd.exe:172.16.255.0/255.255.255.0,192.168.1.2/255.255.255.255:Enabled:Serveur de partage Media Center (Player Neuf Cegetel)
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Electronic Arts\\La Bataille pour la Terre du Milieu II\\game.dat"=
"c:\\Program Files\\Fichiers communs\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3728:TCP"= 3728:TCP:127.0.0.1

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2008-02-23 149376]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-01-19 945152]
R3 IMT0521;Inmax USB IMT-0521 Smartcard Reader;c:\windows\system32\drivers\IMT0521.sys [2005-01-19 34825]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-04-04 24344]
S2 NeroNET;NeroNET;c:\program files\Ahead\NeroNET\NeroNET.exe -w --> c:\program files\Ahead\NeroNET\NeroNET.exe -w [?]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2008-09-02 191656]
S3 QCEmerald;QuickCam Web Logitech;c:\windows\system32\drivers\OVCE.sys [2005-08-22 31872]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2005-01-19 63608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1865fad3-b7a0-11dd-852e-000fea7e2075}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf9ec1c1-6a2f-11d9-92be-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8b324f5-bdc5-11dc-831d-000fea7e2075}]
\Shell\AutoRun\command - k:\wd_windows_tools\setup.exe
.
Contenu du dossier 'Tâches planifiées'

2009-03-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-03-27 c:\windows\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-Printspooler - c:\program files\spooler.exe

.
------- Examen supplémentaire -------
.
uStart Page = hxxp://mystart.incredimail.com/french/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
IE: &Recherche AOL Toolbar - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Ajouter à Kaspersky Anti-Bannière - c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Ouvrir dans un nouvel onglet d'arrière-plan - c:\program files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?eeec0c9ff9914156a6509a069904d306
IE: Ouvrir dans un nouvel onglet de premier plan - c:\program files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?eeec0c9ff9914156a6509a069904d306
FF - ProfilePath - c:\documents and settings\PAPA\Application Data\Mozilla\Firefox\Profiles\fqrpjbey.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.neufportail.fr/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npExentCtl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 18:55:22
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
"ImagePath"="\??\c:\documents and settings\PAPA\Mes documents\bruno.dapoigny\More TV 3
[1].42 - Regarder Canal Plus en Clair -Decoder Canal - - Decodeur- -Free TV- -French- -- chb ---1-\more342\HWIONT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HWIONT]
"ImagePath"="\??\c:\documents and settings\PAPA\Mes documents\bruno.dapoigny\More TV 3
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-3542216805-3780390227-2774239341-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3542216805-3780390227-2774239341-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4b,f1,83,fb,0f,f2,ed,a4,37,7f,51,d3,69,a1,4b,54,0e,fd,3f,89,dc,13,67,
dd,38,2e,30,2b,55,39,78,48,43,c8,14,dc,c6,38,b2,89,04,4d,b4,72,24,4d,a0,66,\
"??"=hex:41,fb,f2,8a,78,03,11,c6,3a,92,23,9a,e5,5f,8c,26

[HKEY_USERS\S-1-5-21-3542216805-3780390227-2774239341-1006\Software\SecuROM\License information*]
"datasecu"=hex:30,a0,33,15,65,05,e6,4e,98,68,c3,08,d6,c3,64,a6,f1,a0,20,5f,dc,
7d,6a,f7,9a,eb,b2,58,c5,1c,e9,91,3c,74,92,d2,05,01,77,87,45,2d,65,8e,0d,27,\
"rkeysecu"=hex:98,9f,b3,2d,08,4e,ea,02,64,ee,2b,12,f4,37,a7,df

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,15,87,0a,0d,98,
f5,a8,a9,e2,63,26,f1,3f,c8,ff,68,10,83,ec,3b,17,35,66,21,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,87,44,e7,30,5d,
63,b0,ca,6a,9c,d6,61,af,45,84,18,2b,13,a9,ea,56,18,3e,a9,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,3b,62,5a,05,3a,
4b,c0,1b,ff,7c,85,e0,43,d4,0e,fe,56,fd,7a,34,47,32,09,01,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,a3,d3,10,95,26,
f9,fc,37,86,8c,21,01,be,91,eb,e7,eb,ad,aa,14,4d,b2,27,6a,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,23,4a,3e,70,62,
29,8a,b7,f5,1d,4d,73,a8,13,5c,05,d4,5f,61,b9,d6,16,f3,08,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,18,e9,ef,6d,9c,
9d,96,c9,df,20,58,62,78,6b,cf,c8,86,c6,71,76,c9,2c,95,bc,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6a,c3,98,4e,f1,
4e,7f,ae,fb,a7,78,e6,12,2f,9a,ea,0f,f6,8e,c3,8b,86,82,dd,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,87,c3,4f,8b,6a,
80,c4,ce,01,3a,48,fc,e8,04,4a,f1,1a,da,d2,e4,7d,48,73,8e,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,ad,9b,c5,6f,4c,
6b,91,3e,f6,0f,4e,58,98,5b,89,c9,07,ac,3d,64,e6,b2,b3,53,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,b4,42,c6,99,8b,
1c,f9,3b,3d,ce,ea,26,2d,45,aa,78,68,3d,b4,34,96,a7,c8,ea,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,8f,b7,9c,67,bc,
36,74,34,2a,b7,cc,b5,b9,7f,41,e7,70,c7,19,44,c3,d8,ef,69,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,56,e0,11,76,e0,
a2,1d,57,6c,43,2d,1e,aa,22,2f,9c,9d,62,85,32,ca,bf,b4,2e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1108)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll

- - - - - - - > 'lsass.exe'(1164)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
.
Heure de fin: 2009-03-27 18:57:30
ComboFix-quarantined-files.txt 2009-03-27 17:57:27

Avant-CF: 110,294,810,624 octets libres
Après-CF: 110,262,509,568 octets libres

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
334 --- E O F --- 2009-03-26 17:27:29

Réponse 54 / 89

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
28 mars 2009 à 20:54

Re

Copies toutes les lignes ci-dessous (en gras)

File::
c:\windows\MOTA113.exe
c:\windows\ad1.htm

Colle les dans un document texte que tu nommeras Cfscript (.txt) sur ton bureau
Ensuite glisses le sur combofix
Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!
Ne touche à rien tant que le scan n'est pas terminé.
Une fois le scan achevé, un rapport va s'afficher: poste son contenu.

Si le fichier ne s'ouvre pas, il se nomme : ComboFix.txt
Et fais ensuite un test avec Ccleaner !
A+

Réponse 55 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
28 mars 2009 à 23:39

ComboFix 09-03-26.03 - PAPA 2009-03-28 23:29:16.4 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.1023.349 [GMT 1:00]
Lancé depuis: c:\telechargement\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\PAPA\Bureau\Cfscript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Un nouveau point de restauration a été créé

FILE ::
c:\windows\ad1.htm
c:\windows\MOTA113.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ad1.htm
c:\windows\MOTA113.exe

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-02-28 au 2009-03-28 ))))))))))))))))))))))))))))))))))))
.

2009-03-16 22:05 . 2009-03-16 22:05 <REP> d-------- c:\documents and settings\PAPA\Application Data\Malwarebytes
2009-03-16 22:04 . 2009-03-16 22:05 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 22:04 . 2009-03-16 22:04 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-16 22:04 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 22:04 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-16 17:22 . 2009-03-23 18:29 52 --a------ c:\windows\TEST.Scr
2009-03-16 17:17 . 2009-03-23 18:29 54 --a------ c:\windows\TEST.Cod
2009-03-15 14:30 . 2009-03-15 14:30 <REP> d-------- c:\program files\eRightSoft
2009-03-12 00:30 . 2009-03-12 00:30 579,584 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-12 00:28 . 2009-03-12 00:28 <REP> d-------- c:\windows\ERUNT
2009-03-12 00:17 . 2008-11-06 02:03 <REP> d-------- C:\SDFix
2009-03-11 22:49 . 2009-03-11 22:49 328 --a------ C:\SupSp.bat
2009-03-11 20:56 . 2009-03-28 20:29 <REP> d-------- c:\documents and settings\PAPA\Application Data\Skype
2009-03-11 20:55 . 2009-03-11 20:56 <REP> d-------- c:\program files\Skype
2009-03-11 20:55 . 2009-03-11 20:55 <REP> d-------- c:\program files\Fichiers communs\Skype
2009-03-11 20:45 . 2009-03-11 20:45 <REP> d-------- c:\program files\Trend Micro
2009-03-07 11:40 . 2009-03-15 22:23 <REP> d-------- c:\program files\AviSynth 2.5
2009-03-07 11:40 . 2006-10-07 17:43 502,784 --a------ c:\windows\x2.64.exe
2009-03-07 11:40 . 2007-05-14 15:24 394,240 --a------ c:\windows\system32\Smab.dll
2009-03-07 11:40 . 2005-02-28 13:16 240,128 --a------ c:\windows\system32\x.264.exe
2009-03-07 11:40 . 2006-04-12 09:47 217,073 --a------ c:\windows\meta4.exe
2009-03-07 11:40 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\yv12vfw.dll
2009-03-07 11:40 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\i420vfw.dll
2009-03-07 11:36 . 2005-02-13 00:00 186,880 -r-hs---- c:\windows\system32\RLOgg.ax
2009-03-07 11:36 . 2005-02-06 00:00 92,672 -r-hs---- c:\windows\system32\RLVorbisDec.ax
2009-03-07 11:36 . 2005-02-13 00:00 67,584 -r-hs---- c:\windows\system32\RLTheoraDec.ax
2009-03-07 11:36 . 2005-02-13 00:00 51,712 -r-hs---- c:\windows\system32\RLSpeexDec.ax
2009-03-07 11:35 . 2005-01-18 00:26 179,200 -r-hs---- c:\windows\system32\DiracSplitter.ax
2009-03-07 11:35 . 2006-08-16 15:53 175,104 -r-hs---- c:\windows\system32\CoreAAC.ax
2009-03-07 11:35 . 2005-02-22 17:55 81,920 -r-hs---- c:\windows\system32\aac_parser.ax

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 22:34 139,129,120 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-28 22:33 4,043,808 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-28 17:18 --------- d-----w c:\documents and settings\PAPA\Application Data\skypePM
2009-03-28 17:05 --------- d-----w c:\program files\eMule
2009-03-28 10:01 2,574 ----a-w c:\documents and settings\PAPA\Application Data\wklnhst.dat
2009-03-28 08:27 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-27 22:52 379,340 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-27 22:52 1,859,732 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-15 18:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 22:31 --------- d-----w c:\program files\Cuisine Astuce
2009-03-11 21:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-11 19:56 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-11 19:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-07 10:01 --------- d-----w c:\documents and settings\PAPA\Application Data\U3
2009-02-25 14:47 --------- d-----w c:\program files\McDonaldsDragons
2009-02-22 13:11 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 08:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-20 22:18 --------- d-----w c:\documents and settings\PAPA\Application Data\Gaijin Ent
2009-02-20 22:08 --------- d-----w c:\documents and settings\PAPA\Application Data\VeniceMysteryData
2009-02-20 21:49 --------- d-----w c:\program files\ReflexiveArcade
2009-02-09 16:21 --------- d-----w c:\program files\Activision Value
2009-02-09 14:05 1,846,912 ----a-w c:\windows\system32\win32k.sys
2009-02-04 08:53 --------- d-----w c:\program files\IncrediMail
2009-02-03 19:25 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-03 19:25 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-01-28 11:21 16,474 -c--a-w c:\program files\players.cfge
2009-01-28 11:19 0 -c--a-w c:\program files\existcheck
2009-01-28 10:37 --------- d-----w c:\documents and settings\PAPA\Application Data\iWin
2008-05-02 12:54 49 -c--a-w c:\program files\game.cfg
2008-04-25 19:43 1,018 -c--a-w c:\program files\scores.cfge
2007-08-28 22:27 1,277,952 ----a-w c:\program files\JQSolitaire2.exe
2007-08-28 18:23 285,478 -c--a-w c:\program files\icon.ico
2007-08-28 18:16 73,728 -c--a-w c:\program files\zlib1.dll
2007-08-28 18:16 626,688 -c--a-w c:\program files\msvcr80.dll
2007-08-28 18:16 606,297 -c--a-w c:\program files\SDL.dll
2007-08-28 18:16 548,864 -c--a-w c:\program files\msvcp80.dll
2007-08-28 18:16 479,232 -c--a-w c:\program files\msvcm80.dll
2007-08-28 18:16 40,960 -c--a-w c:\program files\SDL_image.dll
2007-08-28 18:16 274,432 ----a-w c:\program files\SDL_mixer.dll
2007-08-28 18:16 19,296 -c--a-w c:\program files\readme.rtf
2007-08-28 18:16 180,224 ----a-w c:\program files\SDL_ttf.dll
2007-08-28 18:16 114,688 ----a-w c:\program files\libpng13.dll
2007-08-28 18:16 1,869 -c--a-w c:\program files\Microsoft.VC80.CRT.manifest
2007-08-28 18:16 1,052,672 -c--a-w c:\program files\iWin_GDF.dll
2007-08-28 18:15 1,781,760 -c--a-w c:\program files\framework.dll
2007-01-25 20:46 69,208 -c--a-w c:\documents and settings\PAPA\Application Data\GDIPFONTCACHEV1.DAT
2005-09-16 12:41 571,868 -c--a-w c:\program files\ProcessExplorerNt.zip
2005-08-22 11:33 68,918 -c--a-w c:\program files\procexp.chm
2005-08-22 11:29 1,238,544 -c--a-w c:\program files\procexp.exe
2004-01-05 08:12 1,293 -c--a-w c:\program files\README.TXT
2003-01-13 09:55 282,624 -c--a-w c:\program files\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 -c--a-w c:\program files\internet explorer\plugins\UPjpeg.dll
2008-02-24 09:47 8,192 -csha-w c:\windows\o2cLicStore.bin
2008-05-15 20:52 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008051520080516\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_18.56.06.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-28 08:24:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_294.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-12-07 84480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-15 5513216]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NeroFilterCheck"="c:\program files\Fichiers communs\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-12-15 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Printspooler"="c:\program files\spooler.exe" [BU]
"nwiz"="nwiz.exe" [2004-12-15 c:\windows\system32\nwiz.exe]
"CARPService"="carpserv.exe" [2003-03-19 c:\windows\system32\carpserv.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Windows Defender.lnk - c:\program files\Windows Defender\MSASCui.exe [2006-11-03 866584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Ashampoo Magic Defrag.lnk]
backup=c:\windows\pss\Ashampoo Magic Defrag.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^PAPA^Menu Démarrer^Programmes^Démarrage^TribalWeb.net.lnk]
path=c:\documents and settings\PAPA\Menu Démarrer\Programmes\Démarrage\TribalWeb.net.lnk
backup=c:\windows\pss\TribalWeb.net.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2009-01-27 13:10 251264 c:\program files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
-----c--- 2005-10-11 17:25 1961984 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroNETTrayIcon]
-----c--- 2003-02-18 17:00 212992 c:\program files\Ahead\NeroNET\nnservicectrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"c:\program files\Neuf\Media Center\httpd\httpd.exe"= c:\program files\Neuf\Media Center\httpd\httpd.exe:172.16.255.0/255.255.255.0,192.168.1.2/255.255.255.255:Enabled:Serveur de partage Media Center (Player Neuf Cegetel)
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Electronic Arts\\La Bataille pour la Terre du Milieu II\\game.dat"=
"c:\\Program Files\\Fichiers communs\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3728:TCP"= 3728:TCP:127.0.0.1

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2008-02-23 149376]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-01-19 945152]
R3 IMT0521;Inmax USB IMT-0521 Smartcard Reader;c:\windows\system32\drivers\IMT0521.sys [2005-01-19 34825]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-04-04 24344]
S2 NeroNET;NeroNET;c:\program files\Ahead\NeroNET\NeroNET.exe -w --> c:\program files\Ahead\NeroNET\NeroNET.exe -w [?]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2008-09-02 191656]
S3 QCEmerald;QuickCam Web Logitech;c:\windows\system32\drivers\OVCE.sys [2005-08-22 31872]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2005-01-19 63608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1865fad3-b7a0-11dd-852e-000fea7e2075}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf9ec1c1-6a2f-11d9-92be-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8b324f5-bdc5-11dc-831d-000fea7e2075}]
\Shell\AutoRun\command - k:\wd_windows_tools\setup.exe
.
Contenu du dossier 'Tâches planifiées'

2009-03-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-03-28 c:\windows\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://mystart.incredimail.com/french/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
IE: &Recherche AOL Toolbar - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Ajouter à Kaspersky Anti-Bannière - c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Ouvrir dans un nouvel onglet d'arrière-plan - c:\program files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?eeec0c9ff9914156a6509a069904d306
IE: Ouvrir dans un nouvel onglet de premier plan - c:\program files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?eeec0c9ff9914156a6509a069904d306
FF - ProfilePath - c:\documents and settings\PAPA\Application Data\Mozilla\Firefox\Profiles\fqrpjbey.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.neufportail.fr/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npExentCtl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 23:33:51
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
"ImagePath"="\??\c:\documents and settings\PAPA\Mes documents\bruno.dapoigny\More TV 3
[1].42 - Regarder Canal Plus en Clair -Decoder Canal - - Decodeur- -Free TV- -French- -- chb ---1-\more342\HWIONT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HWIONT]
"ImagePath"="\??\c:\documents and settings\PAPA\Mes documents\bruno.dapoigny\More TV 3
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-3542216805-3780390227-2774239341-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3542216805-3780390227-2774239341-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4b,f1,83,fb,0f,f2,ed,a4,37,7f,51,d3,69,a1,4b,54,0e,fd,3f,89,dc,13,67,
dd,38,2e,30,2b,55,39,78,48,43,c8,14,dc,c6,38,b2,89,04,4d,b4,72,24,4d,a0,66,\
"??"=hex:41,fb,f2,8a,78,03,11,c6,3a,92,23,9a,e5,5f,8c,26

[HKEY_USERS\S-1-5-21-3542216805-3780390227-2774239341-1006\Software\SecuROM\License information*]
"datasecu"=hex:30,a0,33,15,65,05,e6,4e,98,68,c3,08,d6,c3,64,a6,f1,a0,20,5f,dc,
7d,6a,f7,9a,eb,b2,58,c5,1c,e9,91,3c,74,92,d2,05,01,77,87,45,2d,65,8e,0d,27,\
"rkeysecu"=hex:98,9f,b3,2d,08,4e,ea,02,64,ee,2b,12,f4,37,a7,df

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,15,87,0a,0d,98,
f5,a8,a9,e2,63,26,f1,3f,c8,ff,68,10,83,ec,3b,17,35,66,21,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,87,44,e7,30,5d,
63,b0,ca,6a,9c,d6,61,af,45,84,18,2b,13,a9,ea,56,18,3e,a9,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,3b,62,5a,05,3a,
4b,c0,1b,ff,7c,85,e0,43,d4,0e,fe,56,fd,7a,34,47,32,09,01,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,a3,d3,10,95,26,
f9,fc,37,86,8c,21,01,be,91,eb,e7,eb,ad,aa,14,4d,b2,27,6a,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,23,4a,3e,70,62,
29,8a,b7,f5,1d,4d,73,a8,13,5c,05,d4,5f,61,b9,d6,16,f3,08,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,18,e9,ef,6d,9c,
9d,96,c9,df,20,58,62,78,6b,cf,c8,86,c6,71,76,c9,2c,95,bc,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6a,c3,98,4e,f1,
4e,7f,ae,fb,a7,78,e6,12,2f,9a,ea,0f,f6,8e,c3,8b,86,82,dd,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,87,c3,4f,8b,6a,
80,c4,ce,01,3a,48,fc,e8,04,4a,f1,1a,da,d2,e4,7d,48,73,8e,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,ad,9b,c5,6f,4c,
6b,91,3e,f6,0f,4e,58,98,5b,89,c9,07,ac,3d,64,e6,b2,b3,53,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,b4,42,c6,99,8b,
1c,f9,3b,3d,ce,ea,26,2d,45,aa,78,68,3d,b4,34,96,a7,c8,ea,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,8f,b7,9c,67,bc,
36,74,34,2a,b7,cc,b5,b9,7f,41,e7,70,c7,19,44,c3,d8,ef,69,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,56,e0,11,76,e0,
a2,1d,57,6c,43,2d,1e,aa,22,2f,9c,9d,62,85,32,ca,bf,b4,2e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1108)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll

- - - - - - - > 'lsass.exe'(1168)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
.
Heure de fin: 2009-03-28 23:35:59
ComboFix-quarantined-files.txt 2009-03-28 22:35:57
ComboFix2.txt 2009-03-27 17:57:35

Avant-CF: 106 668 249 088 octets libres
Après-CF: 106,640,027,648 octets libres

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
336 --- E O F --- 2009-03-26 17:27:29

Réponse 56 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
28 mars 2009 à 23:44

toujours la apres le ccleaner !!
et aussi apres suppression dans le regedit et F5 il reapparait encore et encore
nota : dans mon gestionnaire de tache, j ai dans les processus un spoolsv.exe ???

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
29 mars 2009 à 00:03

Il est légitime celui là !
A+

Réponse 57 / 89

cgui33 Messages postés 1174 Date d'inscription vendredi 8 avril 2005 Statut Membre Dernière intervention 2 avril 2009 10
2 avril 2009 à 00:12

Salut
je pars pour 10 jours.
Dis moi ou tu en es ... vers le 12.
Je pense que je lancerai un appel pour tenter de résoudre ce pb !
Inutile de formater ton disque d'ici là !
A+

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
21 avril 2009 à 21:05

désolé moi aussi j étais en vacances, pour mon problème il est toujours la !
mais apparemment inactif ou alors très silencieux ! je le vois seulement quand
je fais un ccleaner

a bientot

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
2 mai 2009 à 11:22

est ce que tu veux bien reprendre la partie ?
il est toujours la et je suppose que c est lui car j ai de nouveau des ennuis avec mes parametres mozilla

Réponse 58 / 89

chimay8 Messages postés 7720 Date d'inscription jeudi 1 mai 2008 Statut Contributeur sécurité Dernière intervention 3 janvier 2014 60
9 mai 2009 à 09:52

re,

on va nettoyer les vieux outils en premier

Télécharge OTCleanIT de Old Timer.
http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Double-clique sur OTCleanIt.exe.
Cliquez sur le bouton "CleanUp!" .
Sélectionnez Oui lorsque la demande " processus de nettoyage?" s'affiche.
Si tu es invité à redémarrer le PC au cours de l'assainissement, sélectionne Oui.
L'outil va se supprimer lui-même une fois la fin de l'opération.
Sinon supprime le manuellement.

ensuite

Télécharge et installe UsbFix de C_XX & Chiquitine29

Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) susceptibles d avoir été infectées sans les ouvrir

# Double-clique sur le raccourci UsbFix présent sur ton bureau .

# Choisis l'option 1 ( Recherche )

# Laisse travailler l'outil...

# Ensuite,poste le rapport UsbFix.txt qui apparaitra.

# Note : Le rapport UsbFix.txt est en outre sauvegardé à la racine du disque. ( C:\UsbFix.txt )

( CTRL+A Pour tout sélectionner , CTRL+C pour copier et CTRL+V pour coller )

# Note : "Process.exe", une composante de l'outil, est détecté par certains antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) comme étant un RiskTool.
Il ne s'agit pas d'un malware, mais d'un utilitaire destiné à mettre fin à des processus.
Mis entre de mauvaises mains, cet utilitaire pourrait arrêter des logiciels de sécurité (Antivirus, Firewall...) d'où l'alerte émise par ces antivirus.

Réponse 59 / 89

bigblade Messages postés 95 Date d'inscription mardi 10 mars 2009 Statut Membre Dernière intervention 23 mai 2009 1
9 mai 2009 à 09:54

dans le deuxieme post qui est la suite de celui la j ai deja fait le usbfix

Réponse 60 / 89

chimay8 Messages postés 7720 Date d'inscription jeudi 1 mai 2008 Statut Contributeur sécurité Dernière intervention 3 janvier 2014 60
9 mai 2009 à 09:57

oui,mais il y a des MAJ qui sont faites par après

Un trojan résistant, Win32.Small.jhl

89 réponses

Discussions similaires