[spyware] pop-ups incessants

Question

Bonjour,
Mon ordinateur est infecté depuis une semaine par je ne sais quel mal?!?!?!?
Il y a toujours la même page qui apparaît sans crier gare:
www.9ringtone.com
et une autre avec Bundleware dedans.

J'étais infecté par Ezula, 180solutions et autres

mon dernier avg scan me parlait de dialer, et de Java ByteVerify

Par où commencer??

Quelqu'un peut m'aider S.V.P.

Afficher la suite

Neo-Nil@u · Answer

Salut Gwinoo,d'abord, vide tes caches internet :Panneau de Configuration, Options Internet :Supprimer les cookies, OKSupprimer les fichiers, coche la case, OKEnsuite, lance un scan avec Ad-Aware et Spybot pour vérifier si rien ne traîne.Puis télécharge A² Free pour ton dialer et java byte ...*** Ad-Aware SE :Ad-aware*** Spybot S-D :Spybot Search & Destroy*** A² Free :a² freeTiens-nous au courant !

Gwinoo · Answer

Bonjour, merci de m'aider...J'ai tout vidé mes caches internet,J'ai passé un Adaware, un Spybot et un A2 freeIls n'ont rien trouvé....et ils sont à jour.Que faire ensuite?

regis59 · Answer

tu peux :lance un scan chez RAV : http://www.ravantivirus.com/scan/ Clique sur "To continue without subscribing click here" et attends quelques minutes. Lorsque "Ready" est affiché dans "status", coche la case "Autoclean" puis clique sur "Scan my PC" A la fin de l'analyse, copie/colle le rapport icioyu est ton soucis? tu a

Neo-Nil@u · Answer

Essaye de scanner avec AVG Free :http://www.01net.com/telecharger/windows/Utilitaire/antivirus/fiches/24345.htmlSi ça ne donne toujours rien, lance un scan ici :http://www.ravantivirus.com/scan/Clique sur "To continue without subscribing click here" et attends.Lorsque "Ready" est affiché dans "status", coche la case "Autoclean" puis clique sur "Scan my PC" A la fin de l'analyse, copie/colle le rapport ici

Gwinoo · Answer

Le Scan d'AVG trouve plusieurs chose, mais je trouve pas comment faire un fichier .doc pour  le montrer ici!?!?Ravantivirus est en cours...des nouvelles bientôt!

Neo-Nil@u · Answer

Un fichier .doc ???Dans Test Results, tu auras le listing complet des virus trouvés : fais un copier-coller tout simplement !!

Gwinoo · Answer

J'vois pas comment faire un copier-coller!??! J'peux rien sélectionner!Tu peux m'éclairer?

Neo-Nil@u · Answer

Bon, laisse tomber le copier-coller !Liste au fur et à mesure ce qu'il y'a d'écrit !

Gwinoo · Answer

Tout semble se passer dans ce dossier:C:\Documents and setttings\Julie Rivard\Local settings\Temp\Tempory internet files\Content IE5Dans ce dossier (Content IE5) il y a plusieurs autres dossiers et ces dans ces dossiers que se retrouve un virus:Virus identified Java/ByteVerifyStatus...Infected Embedded Object ou encore Infected Archive ( dans 2 cas)Il y a aussi, tjours dans le dossier Content IE5, Virus found VBS/PsymeStatus infected

balltrap34 · Answer

salut pour vider ton cache utilise ceciclean up    (ici)               http://www.florensac-chasse-trap.com/   section virus

Neo-Nil@u · Answer

Peux-tu me dire exactement quels fichiers sont atteints ?Sinon, hors connexion, vide tes caches internet comme indiqué au <1> et relance un scan AVG !

Gwinoo · Answer

J'ai vidé mes caches internet avec succès plus tôt lorsque tu me l'avais demandé..tu veux que je recommence?les fichiers atteints sont:C:\Documents and setttings\Julie Rivard\Local settings\Temp\Tempory internet files\Content IE5\0R1FQ27P\classload[1].jar:\Documents and setttings\Julie Rivard\Local settings\Temp\Tempory internet files\Content IE5\DSP3HQU5\classload[1].jardonc différents noms de dossier, mais tjours \classload[1].jar

balltrap34 · Answer

utilise se que je t ai mis au n°10

Gwinoo · Answer

Je l'ai fais! mais les dossiers dans Content IE5 sont toujours là et je ne peux les enlever manuellement!?!?!

Neo-Nil@u · Answer

Rend visible les fichiers cachés et système :Panneau de configuration, options des dossiers > onglet affichage cocher " afficher les fichiers et dossiers cachés " décocher " masquer extentions des fichiers dont le type est connu décocher " masquer les fichiers protégés du système" Désactive la restauration systéme Clic droit sur poste de travail > propriétés > Restauration système puis cocher "désactiver la restauration système"Ensuite, suis les chemins et supprime les fichiers !

Gwinoo · Answer

OK.....C'est fait!

Neo-Nil@u · Answer

Tu les a supprimés ? SUPER !Si tu n'as plus de problèmes, coche "message résolu" en haut de la discussion, puis sur Valider !@+ et merci Balltrap de m'avoir épaulé pour l'aider !;-))J'allais oublier : ré-active ta restauration système

balltrap34 · Answer

de rien neoa++

Gwinoo · Answer

C'est gentil, mais je crois que le pop-up est plus tenace que vous ne le pensez!!! Le mal est toujours là.

balltrap34 · Answer

HijackThis                         (ici)               http://www.florensac-chasse-trap.com/   section virus telecharge le et met le dans son propre dossier ex/c :hjclik sur do a systeme scan et save a logfile

Gwinoo · Answer

Logfile of HijackThis v1.99.1Scan saved at 16:52:06, on 2005-04-15Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\a2\a2guard.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exeO4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cabO20 - Winlogon Notify: App Management - C:\WINDOWS\system32\o0rola931d.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

balltrap34 · Answer

okidesinstal spy hunter c est un rogueet relance hijack coche et fix ceciO4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\o0rola931d.dll recherche et suppr cecio0rola931d.dll redemarre et dit moi ou cela en est

Gwinoo · Answer

oki desinstal spy hunter c est un rogue  (C'est fait!) c'est koi un rogue?et relance hijack coche et fix ceci O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe Il n'était plus là!O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\o0rola931d.dll Je l'ai faitrecherche et suppr ceci o0rola931d.dllJ'ai trouvé le dossier, mais il m'est impossible de l'effacer! J'ai essayé en mode sans échec, il n'était pas là!?!?! De plus, il change de nom constamment!?!?Regarde:Logfile of HijackThis v1.99.1Scan saved at 20:59:01, on 2005-04-15Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\a2\a2guard.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cabO20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\gpj4l31q1.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

balltrap34 · Answer

saluttelecharge ceciPocket Kill Box :       (ici)               http://www.florensac-chasse-trap.com/   section virus -Ouvre-le  -Sélectionne le fichier à supprimer, ou copie colle ceci C:\WINDOWS\system32\gpj4l31q1.dll  clic sur la croix blanche  réponds "oui"  -Vide la corbeille.

Gwinoo · Answer

Impossible à supprimerThis file could not be deletedMais, comme je te disais plus tôt, il change constamment de nom!?!? Y a pas une source à ce fichier .dll ?

balltrap34 · Answer

refait ceciTélécharge ceci SilentRunners.  http://www.silentrunners.org/Lance-le Copie/colle-le rapport ici

Gwino · Answer

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"a-squared" = ""C:\Program Files\a2\a2guard.exe"" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]"{65A6D3A1-301A-4136-9765-7E12B444C89A}" = (no title provided)

balltrap34 · Answer

tu ne mas pas mis la totalite du rapport

Gwinoo · Answer

Désolé!!! J'connaissais pas le logiciel....Là c'est correct?"Silent Runners.vbs", revision 35, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"a-squared" = ""C:\Program Files\a2\a2guard.exe"" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]"{65A6D3A1-301A-4136-9765-7E12B444C89A}" = (no title provided)  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\vos_ps.dll" [null data]"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\a2\A2CONT~1.DLL" [null data]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = (value not set)HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\INFECTION WARNING! App Management\DLLName = "C:\WINDOWS\system32\gpnul3591.dll" [null data]Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]Enabled Wallpaper and Active Desktop:-------------------------------------Active Desktop is disabled.HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\Julie Rivard\Application Data\Microsoft\Internet Explorer\Papier peint de Internet Explorer.bmp"Enabled Scheduled Tasks:------------------------"Rappel d'enregistrement 1" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /r /n:1" [MS]"Rappel d'enregistrement 2" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /r /n:2" [MS]"Rappel d'enregistrement 3" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /r /n:3" [MS]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------Dormant Explorer Bars in "View, Explorer Bar" menuHKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\(Default) = "My Web Search Quick View"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]HKLM\Software\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\(Default) = "MoneySide"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\Software\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]Kerio Personal Firewall 4, KPF4, "C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe" ["Kerio Technologies"]----------This report excludes default entries except where indicated.To see *everywhere* the script checks and *everything* it finds,launch it from a command prompt or a shortcut with the -all parameter.

balltrap34 · Answer

okifait ceciclik sur demarrer/executer et tu tape regeditla tu suis ce chemin en cliquant sur les +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management\DLLName/gpnul3591.dllet suppr la

Gwinoo · Answer

Ok c'est fait!

balltrap34 · Answer

desoler j ai du m absenter subitementrefait un hijack et dit moi ou cela en est

Gwinoo · Answer

Logfile of HijackThis v1.99.1Scan saved at 18:24:39, on 2005-04-16Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\a2\a2guard.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cabO16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cabO20 - Winlogon Notify: App Management - C:\WINDOWS\system32\gpnul3591.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

balltrap34 · Answer

tu ne ma pas dit ou en sont tes soucis

Gwinoo · Answer

Ils sont toujours là mon cher Balltrap..J'ai toujours des Pop-ups (les mêmes!!!) qui reviennent à tous les 5 minutes. Et j'ai aussi des icones qui apparaissent sur mon bureau ( Online Dating, travel deal,etc.)

balltrap34 · Answer

re a tu bien fait ceci et suppr la dlloki fait ceci clik sur demarrer/executer et tu tape regedit la tu suis ce chemin en cliquant sur les + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management\DLLName/gpnul3591.dll et suppr la ----------a tout hazard verifie cecipour être tranquille il faut désactiver l affichage des messagestu clique sur démarrer/panneaux de configuration/outil d administration/servicesla tu cherche dans la liste affichage des messagestu fais clic droit dessus puis propriétédans le petit menu déroulant tu mets sur désactive plus bas dans la fenêtre tu clique sur arrêter et enfin sur appliquer

Gwinoo · Answer

re a tu bien fait ceci et suppr la dll oki fait ceci clik sur demarrer/executer et tu tape regedit la tu suis ce chemin en cliquant sur les + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management\DLLName/gpnul3591.dll et suppr laJ'ai réussi tantôt, mais faut croire qu'il a réapparu!??!! Mais impossible à supprimer!a tout hazard verifie ceci pour être tranquille il faut désactiver l affichage des messages tu clique sur démarrer/panneaux de configuration/outil d administration/services la tu cherche dans la liste affichage des messages tu fais clic droit dessus puis propriété dans le petit menu déroulant tu mets sur désactive plus bas dans la fenêtre tu clique sur arrêter et enfin sur appliquerIl était sur DÉSACTIVÉ

balltrap34 · Answer

refait un log hijack je voudrait m assurer de quelque chose

Gwinoo · Answer

Logfile of HijackThis v1.99.1Scan saved at 20:20:53, on 2005-04-16Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\a2\a2guard.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cabO16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cabO20 - Winlogon Notify: App Management - C:\WINDOWS\system32\gpnul3591.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

balltrap34 · Answer

ton hijack date fait moi un hijac de toute suite

Gwinoo · Answer

En voilà un autre...mais je comprends pas pourquoi tu dis qu'il date?

Logfile of HijackThis v1.99.1
Scan saved at 20:34:51, on 2005-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\gpnul3591.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

balltrap34 · Answer

l heure de l ijack n est pas bonne la pendule de ton pc est a l heure

Gwinoo · Answer

Ben oui l'heure est bonne...je suis au Québec il est 21h09..donc 3:09 du matin en France. Non?

balltrap34 · Answer

re desoler j avais pas penser que tu etais si loin lol
il faut que l on vire cette dll
passe par regedit
vas a son emplacement
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management\DLLName/gpnul3591.dll
et clik droit sur le dossier app management puis sur autoritation
la clik sur administrateur regarde si les cases refuser sont cocher et decoche les et coche les autoriser ensuite clik sur avancer et verifie que tu as le controle totale si non modifier et mettre sur controle totale la appliquer la essai de la suppr dans la base de registre

Gwinoo · Answer

Bon matin Balltrap!

Logfile of HijackThis v1.99.1
Scan saved at 08:53:00, on 2005-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: Controls ;These are the new registry tweaks for 800x600x16x60. - C:\WINDOWS\system32\kt64l7jq1.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

Comme tu vois, ça un peu changer...

passe par regedit
vas a son emplacement
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management\DLLName/gpnul3591.dll

J'ai passé par :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls ;These are the new registry tweaks for 800x600x16x60. - C:\WINDOWS\system32\kt64l7jq1.dll

et clik droit sur le dossier app management puis sur autoritation
la clik sur administrateur regarde si les cases refuser sont cocher et decoche les et coche les autoriser ensuite clik sur avancer et verifie que tu as le controle totale si non modifier et mettre sur controle totale la appliquer la essai de la suppr dans la base de registre
--
Tout était OK, et j'ai pus supprimer le fichier DLL en cause (kt64l7jq1.dll)

Voici le Hijack suite à cette manoeuvre:

Logfile of HijackThis v1.99.1
Scan saved at 08:57:48, on 2005-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: Controls ;These are the new registry tweaks for 800x600x16x60. - C:\WINDOWS\system32\kt64l7jq1.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

Toujours le même!?!??!

balltrap34 · Answer

Télécharger ce petit programme qui nous donnera la liste
des services :

http://pageperso.aol.fr/balltrap34/page%20virus.htm

Le poser sur le bureau.
Le lancer.
Copier/coller le fichier texte qui apparaît.
-------------
et aussi ceci
telecharge ceci
http://www.downloads.subratam.org/l2mfix.exe
decompresse le double clik dessus appuie sur n importe quelle touche et ensuite choisi l option 1
attend il vas faire un rapport fait un copier coller de celui ci
ne fait surtout rien d autres

Gwinoo · Answer

Télécharger ce petit programme qui nous donnera la liste des services :lequel?

balltrap34 · Answer

lol desoler il s appel get active services

Gwinoo · Answer

These are the Current Active Services:

SERVICE DE LA PASSERELLE DE LA COUCHE APPLICATION: ALG
C:\WINDOWS\System32\alg.exe

AUDIO WINDOWS: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVICE DE TRANSFERT INTELLIGENT EN ARRIÈRE-PLAN: BITS
C:\WINDOWS\System32\svchost.exe -k netsvcs

EXPLORATEUR D'ORDINATEUR: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVICES DE CRYPTOGRAPHIE: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

CLIENT DHCP: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVICE DE RAPPORT D'ERREURS: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTÈME D'ÉVÉNEMENTS DE COM+: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

COMPATIBILITÉ AVEC LE CHANGEMENT RAPIDE D'UTILISATEUR: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

AIDE ET SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVEUR: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

STATION DE TRAVAIL: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

CONNEXIONS RÉSEAU: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

NLA (NETWORK LOCATION AWARENESS): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

GESTIONNAIRE DE CONNEXIONS D'ACCÈS DISTANT: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

PLANIFICATEUR DE TÂCHES: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

CONNEXION SECONDAIRE: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

NOTIFICATION D'ÉVÉNEMENT SYSTÈME: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

PARE-FEU WINDOWS / PARTAGE DE CONNEXION INTERNET: SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

DÉTECTION MATÉRIEL NOYAU: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVICE DE RESTAURATION SYSTÈME: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs

TÉLÉPHONIE: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

THÈMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

CLIENT DE SUIVI DE LIEN DISTRIBUÉ: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

HORLOGE WINDOWS: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

INFRASTRUCTURE DE GESTION WINDOWS: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

CENTRE DE SÉCURITÉ: wscsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

MISES À JOUR AUTOMATIQUES: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

CONFIGURATION AUTOMATIQUE SANS FIL: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

AVG7 ALERT MANAGER SERVER: Avg7Alrt
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

AVG7 UPDATE SERVICE: Avg7UpdSvc
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

LANCEUR DE PROCESSUS SERVEUR DCOM: DcomLaunch
C:\WINDOWS\system32\svchost -k DcomLaunch

SERVICES TERMINAL SERVER: TermService
C:\WINDOWS\System32\svchost -k DComLaunch

CLIENT DNS: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

JOURNAL DES ÉVÉNEMENTS: Eventlog
C:\WINDOWS\system32\services.exe

PLUG-AND-PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

KERIO PERSONAL FIREWALL 4: KPF4
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

ASSISTANCE TCP/IP NETBIOS: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SERVICE DE DÉCOUVERTES SSDP: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

SERVICES IPSEC: PolicyAgent
C:\WINDOWS\System32\lsass.exe

EMPLACEMENT PROTÉGÉ: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

GESTIONNAIRE DE COMPTES DE SÉCURITÉ: SamSs
C:\WINDOWS\system32\lsass.exe

APPEL DE PROCÉDURE DISTANTE (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

SPOULEUR D'IMPRESSION: Spooler
C:\WINDOWS\system32\spoolsv.exe

ACQUISITION D'IMAGE WINDOWS (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

balltrap34 · Answer

fait moi l autre stp

Gwinoo · Answer

Lorsque j'ai taper 1 (l'option 1) j'ai eu ce message:

C:\Windows\system32\cmd.exe
C:\Windows\system32\AUTOEXEC.NT
Le fichier système ne convient pas à l'éxécution des applications MS-DOS ou Microsoft Windows. Choisissez "fermer" pour mettre fin à l'application.

C'est ce que j'ai fait. Mais il m'a quand même fait un scan et un rapport que voici:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls ;These are the new registry tweaks for 800x600x16x60.]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt64l7jq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5BC3C13B-1B52-CD47-19B4-CC496DD896A6}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage cran du Panneau de configuration"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit‚"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'environnement"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets r‚seau de Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension ic“ne HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions r‚seau"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions r‚seau"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interpr‚teur de commandes pour l'environnement d'ex‚cution de scripts Windows"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donn‚es Microsoft"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tƒches planifi‚es"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tƒches et menu D‚marrer"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ex‚cuter..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier ‚lectronique"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="tat du t‚l‚chargement"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau ‚tendu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment‚"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet int‚gr‚ de recherche"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="BoŒte d'entr‚e de l'adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalis‚e MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrŠs auto-ouvrante"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="ParamŠtres du dossier global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de d‚marrage de la Suite IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="num‚rateur d'applications install‚es"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de r‚sum‚ (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit‚ Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chaŒne"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chaŒne"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1E2CDF40-419B-11D2-A5A1-002018648BA7}"="AVG Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573}"=""
"{65A6D3A1-301A-4136-9765-7E12B444C89A}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aý Context Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{65A6D3A1-301A-4136-9765-7E12B444C89A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65A6D3A1-301A-4136-9765-7E12B444C89A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65A6D3A1-301A-4136-9765-7E12B444C89A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65A6D3A1-301A-4136-9765-7E12B444C89A}\InprocServer32]
@="C:\\WINDOWS\\system32\\dLdpmesh.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Le volume dans le lecteur C n'a pas de nom.
Le num‚ro de s‚rie du volume est 9858-3BAB

R‚pertoire de C:\WINDOWS\System32

2005-04-17 08:43 232ÿ957 dLdpmesh.dll
2005-04-16 23:25 236ÿ122 k2pm0c71ef.dll
2005-04-16 10:11 232ÿ957 kt64l7jq1.dll
2005-04-16 08:08 233ÿ153 p8n8li5u18.dll
2005-04-15 13:41 234ÿ169 ksdusr.dll
2005-04-15 07:39 234ÿ419 m046lahs1d46.dll
2005-04-14 17:35 232ÿ491 o8lu0i39e8.dll
2005-04-14 07:40 232ÿ491 kddgae.dll
2005-04-13 15:25 236ÿ117 o8660ijse8o60.dll
2005-04-12 11:06 <REP> dllcache
2005-04-12 06:16 235ÿ398 gppol3731.dll
2005-04-12 05:57 235ÿ398 wjpui.dll
2005-04-12 05:47 235ÿ799 dn0401dqe.dll
2005-04-11 07:32 232ÿ661 wcnsrv.dll
2005-04-11 06:10 234ÿ584 bkowsewm.dll
2005-04-10 13:47 233ÿ910 gp4ol3h31.dll
2005-04-10 13:31 232ÿ567 rtnd.dll
2005-04-10 13:23 233ÿ564 jtru0799e.dll
2005-04-10 10:16 232ÿ567 mrjint35.dll
2005-04-09 19:47 234ÿ499 skeio.dll
2005-04-09 17:04 233ÿ248 mrc42u.dll
2005-04-09 16:56 234ÿ391 gp4ml3h11.dll
2005-04-09 14:31 233ÿ248 rppwsx.dll
2005-04-09 14:31 233ÿ248 rUsrad.dll
2005-04-09 13:52 230ÿ850 mpcshext.dll
2005-04-09 13:52 229ÿ209 d8j02i1mg8.dll
2005-04-09 10:38 230ÿ850 fp4603hse.dll
2005-04-08 08:51 230ÿ207 mjls31.dll
2005-04-08 06:27 229ÿ484 lmtga11n.dll
2005-04-07 08:22 229ÿ201 ljpsd11n.dll
2005-04-07 06:16 231ÿ126 wmnsrv.dll
2005-04-06 11:05 229ÿ201 donlobby.dll
2005-04-06 08:40 230ÿ844 qrv.dll
2005-04-06 06:31 229ÿ201 mgxml3.dll
2005-04-05 06:46 229ÿ234 ptdgen.dll
2005-04-01 08:07 230ÿ275 suardssp.dll
2005-03-30 05:44 229ÿ194 scrio800.dll
2005-03-26 09:14 229ÿ291 serrun.dll
2005-03-26 00:15 229ÿ194 sclogcfg.dll
2005-03-23 05:46 231ÿ974 wqsdmod.dll
2005-03-20 09:20 231ÿ831 tlappcmp.dll
2005-03-11 17:10 231ÿ359 nbtapi32.dll
2005-03-07 07:44 231ÿ357 nplanui2.dll
2005-03-06 11:09 231ÿ357 aOaamon.dll
2004-12-08 10:39 389ÿ120 m?iexec.exe
2004-02-19 14:18 <REP> Microsoft
44 fichier(s) 10ÿ374ÿ317 octets
2 R‚p(s) 31ÿ806ÿ963ÿ712 octets libres

balltrap34 · Answer

okrelance l2mfix et clik sur l2mfix.bat et cette foix clik sur l option2 et laisse le faire et met moi le rapport et un nouveau rapport hijack

Gwinoo · Answer

L2Mfix 1.03

Running From:
C:\Documents and Settings\Julie Rivard\Bureau\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrateurs
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Julie Rivard\Bureau\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Julie Rivard\Bureau\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1352 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1444 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aOaamon.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\bkowsewm.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\d8j02i1mg8.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dLdpmesh.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dn0401dqe.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\donlobby.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\fp4603hse.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\gp4ml3h11.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\gp4ol3h31.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\gppol3731.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\jtru0799e.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\k2pm0c71ef.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kddgae.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kidsf.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ksdusr.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ljpsd11n.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\lmtga11n.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\m046lahs1d46.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mgxml3.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mjls31.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mpcshext.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mrc42u.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mrjint35.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\nbtapi32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\nplanui2.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\o8660ijse8o60.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\o8lu0i39e8.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\p8n8li5u18.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ptdgen.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\qrv.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\rppwsx.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\rtnd.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\rUsrad.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\sclogcfg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\scrio800.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\serrun.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\skeio.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\suardssp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\tlappcmp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wcnsrv.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wjpui.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wmnsrv.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wqsdmod.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\guard.tmp
1 fichier(s) copi‚(s).
deleting: C:\WINDOWS\system32\aOaamon.dll
Successfully Deleted: C:\WINDOWS\system32\aOaamon.dll
deleting: C:\WINDOWS\system32\bkowsewm.dll
Successfully Deleted: C:\WINDOWS\system32\bkowsewm.dll
deleting: C:\WINDOWS\system32\d8j02i1mg8.dll
Successfully Deleted: C:\WINDOWS\system32\d8j02i1mg8.dll
deleting: C:\WINDOWS\system32\dLdpmesh.dll
Successfully Deleted: C:\WINDOWS\system32\dLdpmesh.dll
deleting: C:\WINDOWS\system32\dn0401dqe.dll
Successfully Deleted: C:\WINDOWS\system32\dn0401dqe.dll
deleting: C:\WINDOWS\system32\donlobby.dll
Successfully Deleted: C:\WINDOWS\system32\donlobby.dll
deleting: C:\WINDOWS\system32\fp4603hse.dll
Successfully Deleted: C:\WINDOWS\system32\fp4603hse.dll
deleting: C:\WINDOWS\system32\gp4ml3h11.dll
Successfully Deleted: C:\WINDOWS\system32\gp4ml3h11.dll
deleting: C:\WINDOWS\system32\gp4ol3h31.dll
Successfully Deleted: C:\WINDOWS\system32\gp4ol3h31.dll
deleting: C:\WINDOWS\system32\gppol3731.dll
Successfully Deleted: C:\WINDOWS\system32\gppol3731.dll
deleting: C:\WINDOWS\system32\jtru0799e.dll
Successfully Deleted: C:\WINDOWS\system32\jtru0799e.dll
deleting: C:\WINDOWS\system32\k2pm0c71ef.dll
Successfully Deleted: C:\WINDOWS\system32\k2pm0c71ef.dll
deleting: C:\WINDOWS\system32\kddgae.dll
Successfully Deleted: C:\WINDOWS\system32\kddgae.dll
deleting: C:\WINDOWS\system32\kidsf.dll
Successfully Deleted: C:\WINDOWS\system32\kidsf.dll
deleting: C:\WINDOWS\system32\ksdusr.dll
Successfully Deleted: C:\WINDOWS\system32\ksdusr.dll
deleting: C:\WINDOWS\system32\ljpsd11n.dll
Successfully Deleted: C:\WINDOWS\system32\ljpsd11n.dll
deleting: C:\WINDOWS\system32\lmtga11n.dll
Successfully Deleted: C:\WINDOWS\system32\lmtga11n.dll
deleting: C:\WINDOWS\system32\m046lahs1d46.dll
Successfully Deleted: C:\WINDOWS\system32\m046lahs1d46.dll
deleting: C:\WINDOWS\system32\mgxml3.dll
Successfully Deleted: C:\WINDOWS\system32\mgxml3.dll
deleting: C:\WINDOWS\system32\mjls31.dll
Successfully Deleted: C:\WINDOWS\system32\mjls31.dll
deleting: C:\WINDOWS\system32\mpcshext.dll
Successfully Deleted: C:\WINDOWS\system32\mpcshext.dll
deleting: C:\WINDOWS\system32\mrc42u.dll
Successfully Deleted: C:\WINDOWS\system32\mrc42u.dll
deleting: C:\WINDOWS\system32\mrjint35.dll
Successfully Deleted: C:\WINDOWS\system32\mrjint35.dll
deleting: C:\WINDOWS\system32\nbtapi32.dll
Successfully Deleted: C:\WINDOWS\system32\nbtapi32.dll
deleting: C:\WINDOWS\system32\nplanui2.dll
Successfully Deleted: C:\WINDOWS\system32\nplanui2.dll
deleting: C:\WINDOWS\system32\o8660ijse8o60.dll
Successfully Deleted: C:\WINDOWS\system32\o8660ijse8o60.dll
deleting: C:\WINDOWS\system32\o8lu0i39e8.dll
Successfully Deleted: C:\WINDOWS\system32\o8lu0i39e8.dll
deleting: C:\WINDOWS\system32\p8n8li5u18.dll
Successfully Deleted: C:\WINDOWS\system32\p8n8li5u18.dll
deleting: C:\WINDOWS\system32\ptdgen.dll
Successfully Deleted: C:\WINDOWS\system32\ptdgen.dll
deleting: C:\WINDOWS\system32\qrv.dll
Successfully Deleted: C:\WINDOWS\system32\qrv.dll
deleting: C:\WINDOWS\system32\rppwsx.dll
Successfully Deleted: C:\WINDOWS\system32\rppwsx.dll
deleting: C:\WINDOWS\system32\rtnd.dll
Successfully Deleted: C:\WINDOWS\system32\rtnd.dll
deleting: C:\WINDOWS\system32\rUsrad.dll
Successfully Deleted: C:\WINDOWS\system32\rUsrad.dll
deleting: C:\WINDOWS\system32\sclogcfg.dll
Successfully Deleted: C:\WINDOWS\system32\sclogcfg.dll
deleting: C:\WINDOWS\system32\scrio800.dll
Successfully Deleted: C:\WINDOWS\system32\scrio800.dll
deleting: C:\WINDOWS\system32\serrun.dll
Successfully Deleted: C:\WINDOWS\system32\serrun.dll
deleting: C:\WINDOWS\system32\skeio.dll
Successfully Deleted: C:\WINDOWS\system32\skeio.dll
deleting: C:\WINDOWS\system32\suardssp.dll
Successfully Deleted: C:\WINDOWS\system32\suardssp.dll
deleting: C:\WINDOWS\system32\tlappcmp.dll
Successfully Deleted: C:\WINDOWS\system32\tlappcmp.dll
deleting: C:\WINDOWS\system32\wcnsrv.dll
Successfully Deleted: C:\WINDOWS\system32\wcnsrv.dll
deleting: C:\WINDOWS\system32\wjpui.dll
Successfully Deleted: C:\WINDOWS\system32\wjpui.dll
deleting: C:\WINDOWS\system32\wmnsrv.dll
Successfully Deleted: C:\WINDOWS\system32\wmnsrv.dll
deleting: C:\WINDOWS\system32\wqsdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wqsdmod.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: aOaamon.dll (104 bytes security) (deflated 5%)
adding: bkowsewm.dll (104 bytes security) (deflated 5%)
adding: d8j02i1mg8.dll (104 bytes security) (deflated 5%)
adding: dLdpmesh.dll (104 bytes security) (deflated 4%)
adding: dn0401dqe.dll (104 bytes security) (deflated 6%)
adding: donlobby.dll (104 bytes security) (deflated 5%)
adding: fp4603hse.dll (104 bytes security) (deflated 5%)
adding: gp4ml3h11.dll (104 bytes security) (deflated 5%)
adding: gp4ol3h31.dll (104 bytes security) (deflated 5%)
adding: gppol3731.dll (104 bytes security) (deflated 5%)
adding: jtru0799e.dll (104 bytes security) (deflated 5%)
adding: k2pm0c71ef.dll (104 bytes security) (deflated 6%)
adding: kddgae.dll (104 bytes security) (deflated 4%)
adding: kidsf.dll (104 bytes security) (deflated 4%)
adding: ksdusr.dll (104 bytes security) (deflated 5%)
adding: ljpsd11n.dll (104 bytes security) (deflated 5%)
adding: lmtga11n.dll (104 bytes security) (deflated 5%)
adding: m046lahs1d46.dll (104 bytes security) (deflated 5%)
adding: mgxml3.dll (104 bytes security) (deflated 5%)
adding: mjls31.dll (104 bytes security) (deflated 5%)
adding: mpcshext.dll (104 bytes security) (deflated 5%)
adding: mrc42u.dll (104 bytes security) (deflated 4%)
adding: mrjint35.dll (104 bytes security) (deflated 4%)
adding: nbtapi32.dll (104 bytes security) (deflated 5%)
adding: nplanui2.dll (104 bytes security) (deflated 5%)
adding: o8660ijse8o60.dll (104 bytes security) (deflated 6%)
adding: o8lu0i39e8.dll (104 bytes security) (deflated 4%)
adding: p8n8li5u18.dll (104 bytes security) (deflated 4%)
adding: ptdgen.dll (104 bytes security) (deflated 5%)
adding: qrv.dll (104 bytes security) (deflated 5%)
adding: rppwsx.dll (104 bytes security) (deflated 4%)
adding: rtnd.dll (104 bytes security) (deflated 4%)
adding: rUsrad.dll (104 bytes security) (deflated 4%)
adding: sclogcfg.dll (104 bytes security) (deflated 5%)
adding: scrio800.dll (104 bytes security) (deflated 5%)
adding: serrun.dll (104 bytes security) (deflated 5%)
adding: skeio.dll (104 bytes security) (deflated 5%)
adding: suardssp.dll (104 bytes security) (deflated 5%)
adding: tlappcmp.dll (104 bytes security) (deflated 5%)
adding: wcnsrv.dll (104 bytes security) (deflated 4%)
adding: wjpui.dll (104 bytes security) (deflated 5%)
adding: wmnsrv.dll (104 bytes security) (deflated 5%)
adding: wqsdmod.dll (104 bytes security) (deflated 5%)
adding: guard.tmp (104 bytes security) (deflated 4%)
adding: clear.reg (104 bytes security) (deflated 36%)
adding: echo.reg (104 bytes security) (deflated 10%)
adding: desktop.ini (104 bytes security) (deflated 14%)
adding: direct.txt (104 bytes security) (stored 0%)
adding: lo2.txt (104 bytes security) (deflated 86%)
adding: readme.txt (104 bytes security) (deflated 49%)
adding: test.txt (104 bytes security) (deflated 83%)
adding: test2.txt (104 bytes security) (deflated 16%)
adding: test3.txt (104 bytes security) (deflated 16%)
adding: test5.txt (104 bytes security) (deflated 16%)
adding: xfind.txt (104 bytes security) (deflated 79%)
adding: backregs/65A6D3A1-301A-4136-9765-7E12B444C89A.reg (104 bytes security) (deflated 70%)
adding: backregs/D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573.reg (104 bytes security) (deflated 71%)
adding: backregs/shell.reg (104 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: aOaamon.dll
deleting local copy: bkowsewm.dll
deleting local copy: d8j02i1mg8.dll
deleting local copy: dLdpmesh.dll
deleting local copy: dn0401dqe.dll
deleting local copy: donlobby.dll
deleting local copy: fp4603hse.dll
deleting local copy: gp4ml3h11.dll
deleting local copy: gp4ol3h31.dll
deleting local copy: gppol3731.dll
deleting local copy: jtru0799e.dll
deleting local copy: k2pm0c71ef.dll
deleting local copy: kddgae.dll
deleting local copy: kidsf.dll
deleting local copy: ksdusr.dll
deleting local copy: ljpsd11n.dll
deleting local copy: lmtga11n.dll
deleting local copy: m046lahs1d46.dll
deleting local copy: mgxml3.dll
deleting local copy: mjls31.dll
deleting local copy: mpcshext.dll
deleting local copy: mrc42u.dll
deleting local copy: mrjint35.dll
deleting local copy: nbtapi32.dll
deleting local copy: nplanui2.dll
deleting local copy: o8660ijse8o60.dll
deleting local copy: o8lu0i39e8.dll
deleting local copy: p8n8li5u18.dll
deleting local copy: ptdgen.dll
deleting local copy: qrv.dll
deleting local copy: rppwsx.dll
deleting local copy: rtnd.dll
deleting local copy: rUsrad.dll
deleting local copy: sclogcfg.dll
deleting local copy: scrio800.dll
deleting local copy: serrun.dll
deleting local copy: skeio.dll
deleting local copy: suardssp.dll
deleting local copy: tlappcmp.dll
deleting local copy: wcnsrv.dll
deleting local copy: wjpui.dll
deleting local copy: wmnsrv.dll
deleting local copy: wqsdmod.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aOaamon.dll
C:\WINDOWS\system32\bkowsewm.dll
C:\WINDOWS\system32\d8j02i1mg8.dll
C:\WINDOWS\system32\dLdpmesh.dll
C:\WINDOWS\system32\dn0401dqe.dll
C:\WINDOWS\system32\donlobby.dll
C:\WINDOWS\system32\fp4603hse.dll
C:\WINDOWS\system32\gp4ml3h11.dll
C:\WINDOWS\system32\gp4ol3h31.dll
C:\WINDOWS\system32\gppol3731.dll
C:\WINDOWS\system32\jtru0799e.dll
C:\WINDOWS\system32\k2pm0c71ef.dll
C:\WINDOWS\system32\kddgae.dll
C:\WINDOWS\system32\kidsf.dll
C:\WINDOWS\system32\ksdusr.dll
C:\WINDOWS\system32\ljpsd11n.dll
C:\WINDOWS\system32\lmtga11n.dll
C:\WINDOWS\system32\m046lahs1d46.dll
C:\WINDOWS\system32\mgxml3.dll
C:\WINDOWS\system32\mjls31.dll
C:\WINDOWS\system32\mpcshext.dll
C:\WINDOWS\system32\mrc42u.dll
C:\WINDOWS\system32\mrjint35.dll
C:\WINDOWS\system32\nbtapi32.dll
C:\WINDOWS\system32\nplanui2.dll
C:\WINDOWS\system32\o8660ijse8o60.dll
C:\WINDOWS\system32\o8lu0i39e8.dll
C:\WINDOWS\system32\p8n8li5u18.dll
C:\WINDOWS\system32\ptdgen.dll
C:\WINDOWS\system32\qrv.dll
C:\WINDOWS\system32\rppwsx.dll
C:\WINDOWS\system32\rtnd.dll
C:\WINDOWS\system32\rUsrad.dll
C:\WINDOWS\system32\sclogcfg.dll
C:\WINDOWS\system32\scrio800.dll
C:\WINDOWS\system32\serrun.dll
C:\WINDOWS\system32\skeio.dll
C:\WINDOWS\system32\suardssp.dll
C:\WINDOWS\system32\tlappcmp.dll
C:\WINDOWS\system32\wcnsrv.dll
C:\WINDOWS\system32\wjpui.dll
C:\WINDOWS\system32\wmnsrv.dll
C:\WINDOWS\system32\wqsdmod.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573}"=-
"{65A6D3A1-301A-4136-9765-7E12B444C89A}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573}]
[-HKEY_CLASSES_ROOT\CLSID\{65A6D3A1-301A-4136-9765-7E12B444C89A}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{0D25CD4F-6F46-4038-B150-D74404909A9F}</IDone>
<IDtwo>BM2</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

...Et le Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 09:49:25, on 2005-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

balltrap34 · Answer

bingoont la eu c est une vx2 qui nous posai problemeou en sont tes soucis maintenant

Gwinoo · Answer

Mes soucis viennent des pages qui apparaissent à tous les 5 minutes (comme des pop-ups) il y a une page qui annonce des images et tonalités pour portable (www.9ringtone.com) et une autre avec Bundleware dans l'adresse. Mais, là...pour l'instant..pas de manifestation.

Espérons que c'était bien ça...si c'est le cas....tu es un Putain de bon chasseur, le meilleur que j'ai vu!!! :)

Tu peux me parler plus concrètement des vx2? est-ce leur genre de manifestation?

balltrap34 · Answer

tros complex pour detailleret je n en suis pas sur d en etre capable loltient moi au courant si cela se remanifest surtous apres plusieur demarragea++

Gwinoo · Answer

lol...ok...j'espère te demander de l'aide le moins souvent possible, cela voudra dire que tout va bien! :)Mais dans le cas contraire, je saurais où trouver le meilleur!Au plaisir!

balltrap34 · Answer

mercia++

[spyware] pop-ups incessants

58 réponses

Votre réponse

Discussions similaires

Newsletters