A voir également:
- HCLEAN.EXE impossible à retirer
- Retirer pub youtube - Accueil - Streaming
- Comment retirer un ami sur facebook - Guide
- Retirer 1 compte gmail - Guide
- Retirer mot de passe windows 10 - Guide
- Comment retirer le mode securise sur android - Guide
7 réponses
salut, seul moe31 est calé sur cette infection
pas facile à virer en plus... mais bon on va lui avancer le travail, si il a le temps il te fera la manip a son retour en fin d aprem..
telecharge hc.zip ici
http://cjoint.com/?jAu7RJ0V1J
dezippe le, redemarre en mode sans echecs et lance hc.bat
le bloc note va s'ouvrir, sauvegarde le rapport.
redemarre normallement et poste le rapport ici.
ensuite:
telecharge hijackthis:
http://www.merijn.org/files/hijackthis.zip
Dezippe le dans un dossier prévu a cet effet.
Par exemple C:\hijack
et surtout pas dans un dossier temporaire (temp)
lance le puis:
clic sur "do a system scan and save logfile" et pas autre chose
Le bloc note va s'ouvrir, copie tout le contenu et colle le ici a la suite de ton message.
Si tu as du mal, regarde ceci:
http://pageperso.aol.fr/balltrap34/demohijack.htm
Silentrunners
http://www.silentrunners.org/Silent%20Runners.vbs
lance le et poste le rapport
a+
pas facile à virer en plus... mais bon on va lui avancer le travail, si il a le temps il te fera la manip a son retour en fin d aprem..
telecharge hc.zip ici
http://cjoint.com/?jAu7RJ0V1J
dezippe le, redemarre en mode sans echecs et lance hc.bat
le bloc note va s'ouvrir, sauvegarde le rapport.
redemarre normallement et poste le rapport ici.
ensuite:
telecharge hijackthis:
http://www.merijn.org/files/hijackthis.zip
Dezippe le dans un dossier prévu a cet effet.
Par exemple C:\hijack
et surtout pas dans un dossier temporaire (temp)
lance le puis:
clic sur "do a system scan and save logfile" et pas autre chose
Le bloc note va s'ouvrir, copie tout le contenu et colle le ici a la suite de ton message.
Si tu as du mal, regarde ceci:
http://pageperso.aol.fr/balltrap34/demohijack.htm
Silentrunners
http://www.silentrunners.org/Silent%20Runners.vbs
lance le et poste le rapport
a+
re,
Telecharge: Pocket Killbox ici
http://www.downloads.subratam.org/KillBox.exe
l'aide détaillé de la manip est en video ici:
http://pageperso.aol.fr/balltrap34/killbox.htm
(methode bloc note)
Imprime, ou enregistre la manip dans un fichier txt (bloc notes) pour etre sur ne rien oublier et de tout faire dans l'ordre.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:
O1 - Hosts: localhost 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80F726-26A6-4EED-B754-3DC2458B4708}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A7436A0-A80E-4B10-9E83-F04356E9678D}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B6A33F9-29BD-49FB-A6DF-77E5098E2E6E}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E145BB1-A896-48E0-875A-DC39CA86A286}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{87FBC40E-D3FA-4C12-A0FD-84AF102B52D7}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
valider en cliquant sur le bouton [fix checked]
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
puis vérifie ceci:
demarrer > connection > clic droit sur ta connection > propriétés
gestion de reseau
assure toi que protocole internet tcp/ip est en surbrillance (attention, ne décoche pas la case)> clic sur propriétés > selectionne "obtenir les adresses DNS des serveurs automatiquement"
valide avec ok
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Déconnecte toi d'internet et ferme tout les programmes en cours.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
ouvre le bloc note et copie et colle ceci à l'interieur:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
Puis enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers"
clic sur enregistrer
ensuite double clic sur fix.reg et accepte de fusionner
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
ouvre le bloc note et copie et colle la liste des fichiers à supprimerci-dessous
une fois fait, enregistre le à un endroit ou tu pourras le retrouver facilement (sur le bureau par exemple).
C:\WINDOWS\System32\hclean32.exe
C:\WINDOWS\system32\dmtol.exe
C:\WINDOWS\balloon.wav
C:\WINDOWS\rdt.ini
C:\WINDOWS\System32\csmaj.exe
1/ lance killbox.exe
2/ ouvre le fichier txt qui contient la liste des fichiers à supprimer, clic sur edition dans le menu du haut et clic sur "selectionner tout"
3/ clic une seconde fois sur "edition" et clic sur "copier"
4/ referme le bloc note.
5/ Dans killbox, selectionne "Delete on Reboot"
6/ Dans le menu du haut clic sur File, puis sur paste from clipboard
(tu devrais voir apparaitre la liste des fichier qu'il va supprimer)
7/ clic sur le rond rouge
8/ une fenetre va apparaitre pour confirmation clic sur OUI
9/ une seconde fenetre te demande si tu veux redemarrer clic sur OUI
Si le pc ne redemarre pas automatiquement ou si killbox t'envois ce message:
"Pending file Rename Operations Registry Data has been Removed by External Process"
ignore le et redemarre le pc normallement
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
de retour en mode mormal, reposte les rapports des 3 programmes:
hijackthis, silentrunners et hc.bat
a+
Telecharge: Pocket Killbox ici
http://www.downloads.subratam.org/KillBox.exe
l'aide détaillé de la manip est en video ici:
http://pageperso.aol.fr/balltrap34/killbox.htm
(methode bloc note)
Imprime, ou enregistre la manip dans un fichier txt (bloc notes) pour etre sur ne rien oublier et de tout faire dans l'ordre.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:
O1 - Hosts: localhost 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80F726-26A6-4EED-B754-3DC2458B4708}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A7436A0-A80E-4B10-9E83-F04356E9678D}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B6A33F9-29BD-49FB-A6DF-77E5098E2E6E}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E145BB1-A896-48E0-875A-DC39CA86A286}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{87FBC40E-D3FA-4C12-A0FD-84AF102B52D7}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
valider en cliquant sur le bouton [fix checked]
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
puis vérifie ceci:
demarrer > connection > clic droit sur ta connection > propriétés
gestion de reseau
assure toi que protocole internet tcp/ip est en surbrillance (attention, ne décoche pas la case)> clic sur propriétés > selectionne "obtenir les adresses DNS des serveurs automatiquement"
valide avec ok
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Déconnecte toi d'internet et ferme tout les programmes en cours.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
ouvre le bloc note et copie et colle ceci à l'interieur:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
Puis enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers"
clic sur enregistrer
ensuite double clic sur fix.reg et accepte de fusionner
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
ouvre le bloc note et copie et colle la liste des fichiers à supprimerci-dessous
une fois fait, enregistre le à un endroit ou tu pourras le retrouver facilement (sur le bureau par exemple).
C:\WINDOWS\System32\hclean32.exe
C:\WINDOWS\system32\dmtol.exe
C:\WINDOWS\balloon.wav
C:\WINDOWS\rdt.ini
C:\WINDOWS\System32\csmaj.exe
1/ lance killbox.exe
2/ ouvre le fichier txt qui contient la liste des fichiers à supprimer, clic sur edition dans le menu du haut et clic sur "selectionner tout"
3/ clic une seconde fois sur "edition" et clic sur "copier"
4/ referme le bloc note.
5/ Dans killbox, selectionne "Delete on Reboot"
6/ Dans le menu du haut clic sur File, puis sur paste from clipboard
(tu devrais voir apparaitre la liste des fichier qu'il va supprimer)
7/ clic sur le rond rouge
8/ une fenetre va apparaitre pour confirmation clic sur OUI
9/ une seconde fenetre te demande si tu veux redemarrer clic sur OUI
Si le pc ne redemarre pas automatiquement ou si killbox t'envois ce message:
"Pending file Rename Operations Registry Data has been Removed by External Process"
ignore le et redemarre le pc normallement
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
de retour en mode mormal, reposte les rapports des 3 programmes:
hijackthis, silentrunners et hc.bat
a+
Maintenant ça donne ça
------------
hc.bat
--------------
Rapport fait à 17:45:36,59 le 03/10/2005
Executé à partir de D:\antivirus\jAu
OS: Microsoft Windows XP [version 5.1.2600]
*********************************************
Vérification HKLM\...\...\...\...\ruins
*********************************************
Fichiers détectés :
C:\WINDOWS\System32\loadctr32.exe Présent !
*********************************************
Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe
C:\WINDOWS\System32
*********************************************
Recherche presence hclean32.exe...
non trouvé...
-----------------------
silentrunners
-------------------------
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"Miramar Systems, Inc." = "C:\Program Files\Miramar\PC MACLAN\atmsg.exe" ["Miramar Systems Inc."]
"EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
"dmtol.exe" = "C:\WINDOWS\system32\dmtol.exe" [file not found]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]
"hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Miramar_AppleTalk\(Default) = "{327700A0-1ABB-11CF-BD20-4CAA03C10000}"
-> {CLSID}\InProcServer32\(Default) = "atshel32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
MiramarNPMenu\(Default) = "{EA075FE0-9229-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atnp32.dll" ["Miramar Systems Inc."]
Miramar_Printers\(Default) = "{36C959A0-7CF9-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atpp32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Pierrot (Admin)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Pierrot (Admin)" & "All Users" startup folders:
-----------------------------------------------------------------
C:\Documents and Settings\Pierrot (Admin)\Menu Démarrer\Programmes\Démarrage
"Raccourci vers pg2" -> shortcut to: "D:\software\PeerGuardian 2 Beta\pg2.exe" ["Methlabs"]
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Lancement rapide d'Adobe Reader" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"SonicWALL VPN Client" -> shortcut to: "C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe" ["SafeNet"]
Enabled Scheduled Tasks:
------------------------
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AppleTalk Messenger, ATMsg, "C:\Program Files\Miramar\PC MACLAN\ATMsg.exe -service" ["Miramar Systems Inc."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
Miramar AppleTalk Print Server, Miramar AppleTalk Print Server, ""c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE"" ["Miramar Systems Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SafeNet IKE Service, IreIKE, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe"" ["SafeNet"]
SafeNet Monitor Service, IPSECMON, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe"" ["SafeNet"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 27 seconds, including 3 seconds for message boxes)
-------------------
hijackthis
---------------------
Logfile of HijackThis v1.99.1
Scan saved at 17:41:48, on 03/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
D:\software\PeerGuardian 2 Beta\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Bin\demo32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [dmtol.exe] C:\WINDOWS\system32\dmtol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\system32\hclean32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Raccourci vers pg2.lnk = D:\software\PeerGuardian 2 Beta\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
Vraiment MERCI pour le temps passé à m'aider
------------
hc.bat
--------------
Rapport fait à 17:45:36,59 le 03/10/2005
Executé à partir de D:\antivirus\jAu
OS: Microsoft Windows XP [version 5.1.2600]
*********************************************
Vérification HKLM\...\...\...\...\ruins
*********************************************
Fichiers détectés :
C:\WINDOWS\System32\loadctr32.exe Présent !
*********************************************
Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe
C:\WINDOWS\System32
*********************************************
Recherche presence hclean32.exe...
non trouvé...
-----------------------
silentrunners
-------------------------
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"Miramar Systems, Inc." = "C:\Program Files\Miramar\PC MACLAN\atmsg.exe" ["Miramar Systems Inc."]
"EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
"dmtol.exe" = "C:\WINDOWS\system32\dmtol.exe" [file not found]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]
"hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Miramar_AppleTalk\(Default) = "{327700A0-1ABB-11CF-BD20-4CAA03C10000}"
-> {CLSID}\InProcServer32\(Default) = "atshel32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
MiramarNPMenu\(Default) = "{EA075FE0-9229-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atnp32.dll" ["Miramar Systems Inc."]
Miramar_Printers\(Default) = "{36C959A0-7CF9-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atpp32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Pierrot (Admin)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Pierrot (Admin)" & "All Users" startup folders:
-----------------------------------------------------------------
C:\Documents and Settings\Pierrot (Admin)\Menu Démarrer\Programmes\Démarrage
"Raccourci vers pg2" -> shortcut to: "D:\software\PeerGuardian 2 Beta\pg2.exe" ["Methlabs"]
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Lancement rapide d'Adobe Reader" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"SonicWALL VPN Client" -> shortcut to: "C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe" ["SafeNet"]
Enabled Scheduled Tasks:
------------------------
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AppleTalk Messenger, ATMsg, "C:\Program Files\Miramar\PC MACLAN\ATMsg.exe -service" ["Miramar Systems Inc."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
Miramar AppleTalk Print Server, Miramar AppleTalk Print Server, ""c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE"" ["Miramar Systems Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SafeNet IKE Service, IreIKE, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe"" ["SafeNet"]
SafeNet Monitor Service, IPSECMON, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe"" ["SafeNet"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 27 seconds, including 3 seconds for message boxes)
-------------------
hijackthis
---------------------
Logfile of HijackThis v1.99.1
Scan saved at 17:41:48, on 03/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
D:\software\PeerGuardian 2 Beta\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Bin\demo32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [dmtol.exe] C:\WINDOWS\system32\dmtol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\system32\hclean32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Raccourci vers pg2.lnk = D:\software\PeerGuardian 2 Beta\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
Vraiment MERCI pour le temps passé à m'aider
salut pierre
Rend visible les fichiers cachés et systeme
panneau de configuration > options des dossiers > onglet affichage
Cocher la case devant " afficher les fichiers et dossiers cachés "
Décocher la case devant " masquer les extentions des fichiers dont le type est connu"
Décocher la case devant " masquer les fichiers protégés du système"
clic sur [Appliquer] puis sur [ok] pour valider
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:
O4 - HKLM\..\Run: [dmtol.exe] C:\WINDOWS\system32\dmtol.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\system32\hclean32.exe
valider en cliquant sur le bouton [fix checked]
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
recherche et supprime:
C:\WINDOWS\System32\loadctr32.exe
s'il resiste, supprime le avec killbox
verifie aussi si :
C:\WINDOWS\system32\dmtol.exe
C:\WINDOWS\system32\hclean32.exe
n'existent plus. (normallement ils ne devraient plus y etre)
redemarre le pc, puis reposte les rapports des trois progs
(pour hijackthis, fais le rapport apres t'etre connecté au net)
a+
Rend visible les fichiers cachés et systeme
panneau de configuration > options des dossiers > onglet affichage
Cocher la case devant " afficher les fichiers et dossiers cachés "
Décocher la case devant " masquer les extentions des fichiers dont le type est connu"
Décocher la case devant " masquer les fichiers protégés du système"
clic sur [Appliquer] puis sur [ok] pour valider
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:
O4 - HKLM\..\Run: [dmtol.exe] C:\WINDOWS\system32\dmtol.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\system32\hclean32.exe
valider en cliquant sur le bouton [fix checked]
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
recherche et supprime:
C:\WINDOWS\System32\loadctr32.exe
s'il resiste, supprime le avec killbox
verifie aussi si :
C:\WINDOWS\system32\dmtol.exe
C:\WINDOWS\system32\hclean32.exe
n'existent plus. (normallement ils ne devraient plus y etre)
redemarre le pc, puis reposte les rapports des trois progs
(pour hijackthis, fais le rapport apres t'etre connecté au net)
a+
Bonsoir,
ci-joint les derniers logs
-------------
Hijack
-------------
Logfile of HijackThis v1.99.1
Scan saved at 18:25:43, on 03/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
D:\software\PeerGuardian 2 Beta\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Raccourci vers pg2.lnk = D:\software\PeerGuardian 2 Beta\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
-------------
silentrunners
---------------
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"Miramar Systems, Inc." = "C:\Program Files\Miramar\PC MACLAN\atmsg.exe" ["Miramar Systems Inc."]
"EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Miramar_AppleTalk\(Default) = "{327700A0-1ABB-11CF-BD20-4CAA03C10000}"
-> {CLSID}\InProcServer32\(Default) = "atshel32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
MiramarNPMenu\(Default) = "{EA075FE0-9229-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atnp32.dll" ["Miramar Systems Inc."]
Miramar_Printers\(Default) = "{36C959A0-7CF9-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atpp32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Pierrot (Admin)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Pierrot (Admin)" & "All Users" startup folders:
-----------------------------------------------------------------
C:\Documents and Settings\Pierrot (Admin)\Menu Démarrer\Programmes\Démarrage
"Raccourci vers pg2" -> shortcut to: "D:\software\PeerGuardian 2 Beta\pg2.exe" ["Methlabs"]
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Lancement rapide d'Adobe Reader" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"SonicWALL VPN Client" -> shortcut to: "C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe" ["SafeNet"]
Enabled Scheduled Tasks:
------------------------
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AppleTalk Messenger, ATMsg, "C:\Program Files\Miramar\PC MACLAN\ATMsg.exe -service" ["Miramar Systems Inc."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
Miramar AppleTalk Print Server, Miramar AppleTalk Print Server, ""c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE"" ["Miramar Systems Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SafeNet IKE Service, IreIKE, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe"" ["SafeNet"]
SafeNet Monitor Service, IPSECMON, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe"" ["SafeNet"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 27 seconds, including 10 seconds for message boxes)
----------
jAu
---------------
Rapport fait à 18:23:36,65 le 03/10/2005
Executé à partir de D:\antivirus\jAu
OS: Microsoft Windows XP [version 5.1.2600]
*********************************************
Vérification HKLM\...\...\...\...\ruins
*********************************************
Fichiers détectés :
*********************************************
Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe
C:\WINDOWS\System32
*********************************************
Recherche presence hclean32.exe...
non trouvé...
ci-joint les derniers logs
-------------
Hijack
-------------
Logfile of HijackThis v1.99.1
Scan saved at 18:25:43, on 03/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
D:\software\PeerGuardian 2 Beta\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Raccourci vers pg2.lnk = D:\software\PeerGuardian 2 Beta\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
-------------
silentrunners
---------------
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"Miramar Systems, Inc." = "C:\Program Files\Miramar\PC MACLAN\atmsg.exe" ["Miramar Systems Inc."]
"EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Miramar_AppleTalk\(Default) = "{327700A0-1ABB-11CF-BD20-4CAA03C10000}"
-> {CLSID}\InProcServer32\(Default) = "atshel32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
MiramarNPMenu\(Default) = "{EA075FE0-9229-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atnp32.dll" ["Miramar Systems Inc."]
Miramar_Printers\(Default) = "{36C959A0-7CF9-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atpp32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Pierrot (Admin)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Pierrot (Admin)" & "All Users" startup folders:
-----------------------------------------------------------------
C:\Documents and Settings\Pierrot (Admin)\Menu Démarrer\Programmes\Démarrage
"Raccourci vers pg2" -> shortcut to: "D:\software\PeerGuardian 2 Beta\pg2.exe" ["Methlabs"]
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Lancement rapide d'Adobe Reader" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"SonicWALL VPN Client" -> shortcut to: "C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe" ["SafeNet"]
Enabled Scheduled Tasks:
------------------------
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AppleTalk Messenger, ATMsg, "C:\Program Files\Miramar\PC MACLAN\ATMsg.exe -service" ["Miramar Systems Inc."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
Miramar AppleTalk Print Server, Miramar AppleTalk Print Server, ""c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE"" ["Miramar Systems Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SafeNet IKE Service, IreIKE, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe"" ["SafeNet"]
SafeNet Monitor Service, IPSECMON, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe"" ["SafeNet"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 27 seconds, including 10 seconds for message boxes)
----------
jAu
---------------
Rapport fait à 18:23:36,65 le 03/10/2005
Executé à partir de D:\antivirus\jAu
OS: Microsoft Windows XP [version 5.1.2600]
*********************************************
Vérification HKLM\...\...\...\...\ruins
*********************************************
Fichiers détectés :
*********************************************
Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe
C:\WINDOWS\System32
*********************************************
Recherche presence hclean32.exe...
non trouvé...
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
ca a l'air ok
Des soucis de ton coté ?
fais quand meme un scan av de controle:
ici:
http://webscanner.kaspersky.fr/
apres le chargement du control active X, clic sur suivant
puis clic sur configuration et choisis "étendue"
Choisis l'analyse répertoire et choisis ton ou tes disques durs
ou là:
http://www.bitdefender.fr
A la fin de l'analyse, copier/coller le rapport ici
a++
Des soucis de ton coté ?
fais quand meme un scan av de controle:
ici:
http://webscanner.kaspersky.fr/
apres le chargement du control active X, clic sur suivant
puis clic sur configuration et choisis "étendue"
Choisis l'analyse répertoire et choisis ton ou tes disques durs
ou là:
http://www.bitdefender.fr
A la fin de l'analyse, copier/coller le rapport ici
a++
Le rapport est clean
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 03, 2005 19:09:30
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/10/2005
Kaspersky Anti-Virus database records: 143069
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 39941
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1305 sec
No malware has been detected. The sections that have been scanned are CLEAN.
Scan process completed.
Merci beaucoup à tous les 2
Et si vous avez des infos sur ce que fait hclean32 je suis preneur (pour info)
Merci encore
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 03, 2005 19:09:30
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/10/2005
Kaspersky Anti-Virus database records: 143069
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 39941
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1305 sec
No malware has been detected. The sections that have been scanned are CLEAN.
Scan process completed.
Merci beaucoup à tous les 2
Et si vous avez des infos sur ce que fait hclean32 je suis preneur (pour info)
Merci encore
salut
je crois que hclean32 n'est que le debut d'infection, en fait, il modifie tes dns (017 dans hijackthis), pour te rediriger vers des urls piégées qui permettent surement d'executer ou de telecharger un fichier à distance.
Il est lié avec wareout, (la 2eme partie de l'infection à mon avis) un faux antispyware qui s'installe sans te demander ton avis sur ton pc.
hclean et detecté selon les av comme:
trojan.flush
http://securityresponse.symantec.com/avcenter/venc/data/trojan.flush.a.html
/trojruindla
http://www.sophos.com/virusinfo/analyses/trojruindla.html
Pour regis:
il manquait juste les 04 et la 01 dans hijack à faire fixer.
Mais bon, en général c'est rare que les 04 apparaissent dans hijack à part en tout début d'infection, ensuite il faut un silentrunners pour les debusquer.
Je crois que tu as pigé le truc.
a+
je crois que hclean32 n'est que le debut d'infection, en fait, il modifie tes dns (017 dans hijackthis), pour te rediriger vers des urls piégées qui permettent surement d'executer ou de telecharger un fichier à distance.
Il est lié avec wareout, (la 2eme partie de l'infection à mon avis) un faux antispyware qui s'installe sans te demander ton avis sur ton pc.
hclean et detecté selon les av comme:
trojan.flush
http://securityresponse.symantec.com/avcenter/venc/data/trojan.flush.a.html
/trojruindla
http://www.sophos.com/virusinfo/analyses/trojruindla.html
Pour regis:
il manquait juste les 04 et la 01 dans hijack à faire fixer.
Mais bon, en général c'est rare que les 04 apparaissent dans hijack à part en tout début d'infection, ensuite il faut un silentrunners pour les debusquer.
Je crois que tu as pigé le truc.
a+
Les autres suivent.
Merci pour l'aide.
Question : que fait exactement HCLEAN32.EXE comme "dégats" ?
Rapport fait à 15:28:50,81 le 03/10/2005
Executé à partir de D:\antivirus\jAu
OS: Microsoft Windows XP [version 5.1.2600]
*********************************************
Vérification HKLM\...\...\...\...\ruins
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:a1,47,00,00,90,90,a8,a4,a1,a8,cd,dc,1a,db,fc,eb,14,00,00,00
"nidnsdr"=hex:d4,48,00,00,d3,a5,e2,ef,8d,80,87,cf,ec,91,dc,13,00,00,00
"23naelch"=hex:ba,42,00,00,b7,80,83,b2,ae,95,28,21,3d,c2,d7,f2,14,00,00,00
"aplnsftn"=hex:68,4d,00,00,43,41,6b,76,63,69,1d,04,43,10,05,20,14,00,00,00
"23rtcdaol"=hex:02,4e,00,00,fb,ec,c6,cb,d0,cb,b1,f8,e1,ed,82,97,92,15,00,00,00
"lotmd"=hex:2d,36,00,00,04,07,04,31,2c,e6,57,68,47,11,00,00,00
"7"=hex:54,5c,00,00,29,2a,65,14,00,7f,42,4b,57,64,29,54,14,00,00,00
"8"=hex:54,5c,00,00,53,25,62,6f,0d,00,07,4f,6c,11,5c,13,00,00,00
"9"=hex:54,5c,00,00,57,55,1f,6a,77,7d,01,78,57,64,29,54,14,00,00,00
"10"=hex:10,3a,00,00,ed,ee,d9,d8,c4,c3,86,8f,eb,a8,6d,98,14,00,00,00
"11"=hex:10,3a,00,00,17,e9,26,d3,c1,c4,bb,f3,a0,55,90,13,00,00,00
"12"=hex:10,3a,00,00,eb,19,d3,2e,cb,c1,45,bc,eb,a8,6d,98,14,00,00,00
"13"=hex:a8,15,00,00,85,96,b1,a0,bc,ab,1e,17,03,d0,c5,e0,14,00,00,00
"14"=hex:a8,15,00,00,8f,91,be,bb,b9,ac,d3,1b,d8,fd,e8,13,00,00,00
"15"=hex:dc,15,00,00,df,cd,e7,e2,ff,f5,89,f0,df,9c,b1,ac,14,00,00,00
"16"=hex:cb,57,00,00,a6,b3,92,9d,99,84,3b,30,2c,ed,a6,dd,14,00,00,00
"17"=hex:cb,57,00,00,a8,b2,9b,94,9a,89,fc,34,e5,9e,d5,13,00,00,00
"18"=hex:cb,57,00,00,ac,a2,94,93,8c,8a,fe,e1,2c,ed,a6,dd,14,00,00,00
"19"=hex:bc,45,00,00,b1,82,8d,8c,a8,97,2a,23,3f,fc,d1,cc,14,00,00,00
"20"=hex:bc,45,00,00,bb,bd,8a,87,95,98,ef,27,f4,e9,c4,13,00,00,00
"21"=hex:bc,45,00,00,bf,ad,87,82,9f,95,e9,d0,3f,fc,d1,cc,14,00,00,00
"22"=hex:b6,7e,00,00,8b,84,87,b6,a2,99,2c,25,31,c6,cb,f6,14,00,00,00
"23"=hex:b6,7e,00,00,bd,87,8c,89,af,a2,e1,29,ce,f3,fe,13,00,00,00
"24"=hex:e7,7e,00,00,c0,c6,e8,f7,e0,ee,92,85,c0,91,ba,a1,14,00,00,00
"25"=hex:03,6a,00,00,fe,fb,ca,c5,d1,cc,f3,f8,e4,b5,9e,85,14,00,00,00
"26"=hex:03,6a,00,00,e0,fa,d3,dc,d2,d1,b4,fc,bd,a6,8d,13,00,00,00
"27"=hex:34,6a,00,00,37,35,3f,0a,17,1d,61,58,b7,44,49,74,14,00,00,00
"28"=hex:4a,41,00,00,27,30,13,02,1e,05,b8,b1,ad,72,27,42,14,00,00,00
"29"=hex:4a,41,00,00,29,33,18,15,1b,0e,7d,b5,7a,1f,4a,13,00,00,00
"30"=hex:4a,41,00,00,2d,23,15,10,0d,0b,7f,66,ad,72,27,42,14,00,00,00
"31"=hex:56,04,00,00,2b,24,67,16,02,79,4c,45,51,66,2b,56,14,00,00,00
"32"=hex:56,04,00,00,5d,27,6c,69,0f,02,01,49,6e,13,5e,13,00,00,00
"33"=hex:8a,04,00,00,6d,63,55,50,4d,4b,3f,26,6d,32,e7,02,14,00,00,00
"34"=hex:e6,01,00,00,db,d4,f7,e6,f2,e9,dc,d5,c1,96,bb,a6,14,00,00,00
"35"=hex:e6,01,00,00,cd,d7,fc,f9,ff,f2,91,d9,9e,83,ae,13,00,00,00
"36"=hex:e6,01,00,00,c1,c7,e9,f4,e1,ef,93,8a,c1,96,bb,a6,14,00,00,00
"37"=hex:9d,62,00,00,90,9d,ac,af,4b,b6,15,02,1e,df,f0,ef,14,00,00,00
"38"=hex:9d,62,00,00,9a,9c,b5,a6,b4,bb,ce,06,d7,c8,e7,13,00,00,00
"39"=hex:d1,62,00,00,aa,d8,92,e9,8a,80,84,ff,2a,eb,ac,db,14,00,00,00
"40"=hex:8c,4e,00,00,61,72,5d,5c,58,47,7a,73,6f,2c,e1,1c,14,00,00,00
"41"=hex:c0,4e,00,00,a7,b9,96,83,91,94,eb,23,f0,e5,c0,13,00,00,00
"42"=hex:f4,4e,00,00,f7,f5,ff,ca,d7,dd,a1,98,f7,84,89,b4,14,00,00,00
"43"=hex:ba,67,00,00,b7,80,83,b2,ae,95,28,21,3d,c2,d7,f2,14,00,00,00
"44"=hex:ba,67,00,00,b9,83,88,85,ab,9e,ed,25,ca,ef,fa,13,00,00,00
"45"=hex:ef,67,00,00,c8,fe,f0,cf,e8,e6,9a,9d,c8,89,82,b9,14,00,00,00
"46"=hex:6f,1f,00,00,42,4f,7e,79,65,60,67,6c,48,09,02,39,14,00,00,00
"47"=hex:6f,1f,00,00,74,4e,47,70,66,65,18,50,01,3a,31,13,00,00,00
"48"=hex:a0,1f,00,00,9b,89,a3,be,bb,b1,d5,cc,1b,d8,fd,e8,14,00,00,00
"49"=hex:d9,4d,00,00,d4,a1,e0,93,8f,fa,c9,c6,d2,e3,b4,d3,14,00,00,00
"50"=hex:0e,4e,00,00,15,ef,24,d1,c7,ca,b9,f1,a6,5b,96,13,00,00,00
"51"=hex:3f,4e,00,00,38,2e,00,1f,18,16,6a,6d,b8,79,52,49,14,00,00,00
"52"=hex:e5,2a,00,00,d8,d5,f4,e7,f3,ee,dd,da,c6,97,b8,a7,14,00,00,00
"53"=hex:19,2b,00,00,1e,e0,29,2a,c8,3f,42,8a,ab,4c,9b,13,00,00,00
"54"=hex:19,2b,00,00,12,10,da,21,32,38,4c,b7,92,a3,74,93,14,00,00,00
"55"=hex:8f,10,00,00,62,6f,5e,59,45,40,07,0c,68,29,e2,19,14,00,00,00
"56"=hex:c3,10,00,00,a0,ba,93,9c,92,91,f4,3c,fd,e6,cd,13,00,00,00
"57"=hex:f7,10,00,00,f0,f6,f8,c7,d0,de,a2,95,f0,81,8a,b1,14,00,00,00
"58"=hex:ca,33,00,00,a7,b0,93,82,9e,85,38,31,2d,f2,a7,c2,14,00,00,00
"59"=hex:fe,33,00,00,e5,ff,d4,c1,d7,da,a9,e1,b6,ab,86,13,00,00,00
"60"=hex:63,34,00,00,44,4a,6c,7b,64,72,16,09,44,15,3e,25,14,00,00,00
"61"=hex:06,17,00,00,fb,f4,d7,c6,d2,c9,fc,f5,e1,b6,9b,86,14,00,00,00
"62"=hex:37,17,00,00,3c,06,0f,08,2e,1d,60,a8,49,72,79,13,00,00,00
"63"=hex:6b,17,00,00,4c,42,74,73,6c,6a,1e,01,4c,0d,06,3d,14,00,00,00
"64"=hex:48,18,00,00,25,36,11,00,1c,0b,be,b7,a3,70,25,40,14,00,00,00
"65"=hex:7c,18,00,00,7b,7d,4a,47,55,58,2f,67,34,29,04,13,00,00,00
"66"=hex:e1,18,00,00,da,c8,e2,f9,fa,f0,94,8f,da,9b,bc,ab,14,00,00,00
"67"=hex:90,51,00,00,6d,6e,59,58,44,43,06,0f,6b,28,ed,18,14,00,00,00
"68"=hex:f8,51,00,00,ff,c1,ce,cb,e9,dc,a3,eb,88,ad,b8,13,00,00,00
"69"=hex:29,52,00,00,02,00,2a,31,22,28,5c,47,82,53,44,63,14,00,00,00
"70"=hex:f4,77,00,00,c9,ca,c5,f4,e0,df,e2,eb,f7,84,89,b4,14,00,00,00
"71"=hex:59,78,00,00,5e,20,69,6a,08,7f,02,4a,6b,0c,5b,13,00,00,00
"72"=hex:be,78,00,00,b9,af,81,9c,99,97,eb,d2,39,fe,d3,ce,14,00,00,00
"73"=hex:e9,17,00,00,c4,d1,f0,e3,ff,ea,d9,d6,c2,93,84,a3,14,00,00,00
"74"=hex:4e,18,00,00,55,2f,64,11,07,0a,79,b1,66,1b,56,13,00,00,00
"75"=hex:b7,18,00,00,b0,b6,b8,87,90,9e,e2,d5,30,c1,ca,f1,14,00,00,00
"76"=hex:c7,0d,00,00,ba,b7,96,81,9d,88,3f,34,20,f1,da,c1,14,00,00,00
"77"=hex:2d,0e,00,00,0a,0c,05,36,24,2b,5e,96,47,78,77,13,00,00,00
"78"=hex:f7,0e,00,00,f0,f6,f8,c7,d0,de,a2,95,f0,81,8a,b1,14,00,00,00
"79"=hex:cd,45,00,00,a0,ad,9c,9f,9b,86,c5,32,2e,ef,a0,df,14,00,00,00
"80"=hex:67,46,00,00,4c,56,7f,78,7e,6d,10,58,19,02,29,13,00,00,00
"81"=hex:cc,46,00,00,af,dd,97,92,8f,85,f9,e0,2f,ec,a1,dc,14,00,00,00
"82"=hex:43,5a,00,00,3e,3b,0a,05,11,0c,b3,b8,a4,75,5e,45,14,00,00,00
"83"=hex:11,5b,00,00,16,e8,21,d2,c0,c7,ba,f2,a3,54,93,13,00,00,00
"84"=hex:db,5b,00,00,dc,d2,e4,e3,fc,fa,8e,f1,dc,9d,b6,ad,14,00,00,00
"85"=hex:51,6a,00,00,2c,29,18,1b,07,02,41,4e,aa,6b,2c,5b,14,00,00,00
"86"=hex:eb,6a,00,00,c8,d2,fb,f4,fa,e9,9c,d4,85,be,b5,13,00,00,00
"87"=hex:b9,6b,00,00,b2,b0,ba,81,92,98,ec,d7,32,c3,d4,f3,14,00,00,00
"88"=hex:50,6c,00,00,2d,2e,19,18,04,03,46,4f,ab,68,2d,58,14,00,00,00
"89"=hex:b5,6c,00,00,b2,84,8d,8e,ac,a3,e6,2e,cf,f0,ff,13,00,00,00
"90"=hex:4e,6d,00,00,29,5f,11,6c,09,07,7b,62,a9,6e,23,5e,14,00,00,00
"91"=hex:eb,1f,00,00,c6,d3,f2,fd,f9,e4,db,d0,cc,8d,86,bd,14,00,00,00
"92"=hex:81,20,00,00,66,78,51,42,50,57,2a,62,33,24,03,13,00,00,00
"93"=hex:4f,21,00,00,28,5e,10,6f,08,06,7a,7d,a8,69,22,59,14,00,00,00
"94"=hex:e9,16,00,00,c4,d1,f0,e3,ff,ea,d9,d6,c2,93,84,a3,14,00,00,00
"95"=hex:b6,17,00,00,bd,87,8c,89,af,a2,e1,29,ce,f3,fe,13,00,00,00
"96"=hex:4d,18,00,00,2e,5c,16,6d,0e,04,78,63,ae,6f,20,5f,14,00,00,00
"97"=hex:5f,26,00,00,52,5f,6e,69,75,70,57,5c,58,19,32,29,14,00,00,00
"98"=hex:f8,26,00,00,ff,c1,ce,cb,e9,dc,a3,eb,88,ad,b8,13,00,00,00
"99"=hex:c6,27,00,00,a1,a7,89,94,81,8f,f3,ea,21,f6,db,c6,14,00,00,00
"100"=hex:b1,4c,00,00,8c,89,b8,bb,a7,a2,21,2e,0a,cb,cc,fb,14,00,00,00
"101"=hex:7b,4d,00,00,78,42,4b,44,6a,59,2c,64,35,2e,05,13,00,00,00
"102"=hex:49,4e,00,00,22,20,0a,11,02,08,7c,67,a2,73,24,43,14,00,00,00
"103"=hex:5e,06,00,00,53,5c,6f,6e,0a,71,54,5d,59,1e,33,2e,14,00,00,00
"104"=hex:5d,07,00,00,5a,5c,75,66,74,7b,0e,46,17,08,27,13,00,00,00
"105"=hex:27,08,00,00,00,06,28,37,20,2e,52,45,80,51,7a,61,14,00,00,00
"106"=hex:57,57,00,00,2a,27,66,11,0d,78,4f,44,50,61,2a,51,14,00,00,00
"107"=hex:25,58,00,00,02,14,3d,3e,3c,33,56,9e,5f,40,6f,13,00,00,00
"108"=hex:23,59,00,00,04,0a,2c,3b,24,32,56,49,84,55,7e,65,14,00,00,00
"109"=hex:01,76,00,00,fc,f9,c8,cb,d7,d2,f1,fe,fa,bb,9c,8b,14,00,00,00
"110"=hex:cb,76,00,00,a8,b2,9b,94,9a,89,fc,34,e5,9e,d5,13,00,00,00
"111"=hex:ca,77,00,00,ad,a3,95,90,8d,8b,ff,e6,2d,f2,a7,c2,14,00,00,00
"112"=hex:2d,3b,00,00,00,0d,3c,3f,3b,26,a5,92,8e,4f,40,7f,14,00,00,00
"113"=hex:f9,3c,00,00,fe,c0,c9,ca,e8,df,a2,ea,8b,ac,bb,13,00,00,00
"114"=hex:f8,3d,00,00,f3,f1,fb,c6,d3,d9,ad,94,f3,80,95,b0,14,00,00,00
"115"=hex:5c,61,00,00,51,22,6d,6c,08,77,4a,43,5f,1c,31,2c,14,00,00,00
"116"=hex:c0,62,00,00,a7,b9,96,83,91,94,eb,23,f0,e5,c0,13,00,00,00
"117"=hex:bf,63,00,00,b8,ae,80,9f,98,96,ea,ed,38,f9,d2,c9,14,00,00,00
"118"=hex:6f,23,00,00,42,4f,7e,79,65,60,67,6c,48,09,02,39,14,00,00,00
"119"=hex:d6,24,00,00,dd,a7,ec,e9,8f,82,81,c9,ee,93,de,13,00,00,00
"120"=hex:06,26,00,00,e1,e7,c9,d4,c1,cf,b3,aa,e1,b6,9b,86,14,00,00,00
"121"=hex:31,07,00,00,0c,09,38,3b,27,22,a1,ae,8a,4b,4c,7b,14,00,00,00
"122"=hex:95,08,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
"123"=hex:92,0a,00,00,95,9b,5d,a8,b5,43,c7,3e,15,2a,ef,1a,14,00,00,00
"124"=hex:f5,2c,00,00,c8,c5,c4,f7,e3,de,ed,ea,f6,87,88,b7,14,00,00,00
"125"=hex:8d,2e,00,00,6a,6c,a5,56,44,4b,3e,76,27,d8,17,13,00,00,00
"126"=hex:8e,30,00,00,69,9f,51,ac,49,47,3b,22,69,2e,e3,1e,14,00,00,00
"127"=hex:2d,55,00,00,00,0d,3c,3f,3b,26,a5,92,8e,4f,40,7f,14,00,00,00
"128"=hex:c5,56,00,00,a2,b4,9d,9e,9c,93,f6,3e,ff,e0,cf,13,00,00,00
"129"=hex:29,58,00,00,02,00,2a,31,22,28,5c,47,82,53,44,63,14,00,00,00
"130"=hex:08,18,00,00,e5,f6,d1,c0,dc,cb,fe,f7,e3,b0,65,80,14,00,00,00
"131"=hex:3b,19,00,00,38,02,0b,04,2a,19,6c,a4,75,6e,45,13,00,00,00
"132"=hex:d4,1a,00,00,d7,d5,9f,ea,f7,fd,81,f8,d7,e4,a9,d4,14,00,00,00
"133"=hex:1a,12,00,00,17,e0,23,d2,ce,35,88,81,9d,a2,77,92,14,00,00,00
"134"=hex:4d,13,00,00,2a,2c,65,16,04,0b,7e,b6,67,18,57,13,00,00,00
"135"=hex:80,14,00,00,7b,69,43,5e,5b,51,35,2c,7b,38,1d,08,14,00,00,00
"136"=hex:33,7e,00,00,0e,0b,3a,35,21,1c,a3,a8,b4,45,4e,75,14,00,00,00
"137"=hex:ca,00,00,00,a9,b3,98,95,9b,8e,fd,35,fa,9f,ca,13,00,00,00
"138"=hex:95,03,00,00,96,94,5e,a5,b6,bc,c0,3b,16,27,e8,17,14,00,00,00
"139"=hex:26,2f,00,00,1b,14,37,26,32,29,9c,95,81,56,7b,66,14,00,00,00
"140"=hex:be,30,00,00,a5,bf,94,81,97,9a,e9,21,f6,eb,c6,13,00,00,00
"141"=hex:87,32,00,00,60,66,48,57,40,4e,32,25,60,31,1a,01,14,00,00,00
"142"=hex:f7,66,00,00,ca,c7,c6,f1,ed,d8,ef,e4,f0,81,8a,b1,14,00,00,00
"143"=hex:5f,68,00,00,44,5e,77,60,76,75,08,40,11,0a,21,13,00,00,00
"144"=hex:28,6a,00,00,03,01,2b,36,23,29,5d,44,83,50,45,60,14,00,00,00
"145"=hex:c4,77,00,00,b9,ba,95,84,90,8f,32,3b,27,f4,d9,c4,14,00,00,00
"146"=hex:2a,7a,00,00,09,13,38,35,3b,2e,5d,95,5a,7f,6a,13,00,00,00
"147"=hex:f2,7c,00,00,f5,fb,fd,c8,d5,e3,a7,9e,f5,8a,8f,ba,14,00,00,00
"148"=hex:4c,6f,00,00,21,32,1d,1c,18,07,ba,b3,af,6c,21,5c,14,00,00,00
"149"=hex:49,71,00,00,2e,30,19,1a,18,0f,72,ba,7b,1c,4b,13,00,00,00
"150"=hex:7b,73,00,00,7c,72,44,43,5c,5a,2e,11,7c,3d,16,0d,14,00,00,00
"151"=hex:70,48,00,00,4d,4e,79,78,64,63,66,6f,4b,08,0d,38,14,00,00,00
"152"=hex:6d,4a,00,00,4a,4c,45,76,64,6b,1e,56,07,38,37,13,00,00,00
"153"=hex:3a,4c,00,00,3d,33,05,00,1d,1b,6f,56,bd,42,57,72,14,00,00,00
"154"=hex:88,5c,00,00,65,76,51,40,5c,4b,7e,77,63,30,e5,00,14,00,00,00
"155"=hex:85,5e,00,00,62,74,5d,5e,5c,53,36,7e,3f,20,0f,13,00,00,00
"156"=hex:50,61,00,00,2b,59,13,6e,0b,01,05,7c,ab,68,2d,58,14,00,00,00
"157"=hex:cc,54,00,00,a1,b2,9d,9c,98,87,3a,33,2f,ec,a1,dc,14,00,00,00
"158"=hex:cd,56,00,00,aa,ac,e5,96,84,8b,fe,36,e7,98,d7,13,00,00,00
"159"=hex:ca,58,00,00,ad,a3,95,90,8d,8b,ff,e6,2d,f2,a7,c2,14,00,00,00
"160"=hex:4d,69,00,00,20,2d,1c,1f,1b,06,45,b2,ae,6f,20,5f,14,00,00,00
"161"=hex:7f,6b,00,00,64,7e,57,40,56,55,28,60,31,2a,01,13,00,00,00
"162"=hex:b0,6d,00,00,8b,b9,b3,8e,ab,a1,e5,dc,0b,c8,cd,f8,14,00,00,00
"163"=hex:f4,40,00,00,c9,ca,c5,f4,e0,df,e2,eb,f7,84,89,b4,14,00,00,00
"164"=hex:24,44,00,00,03,15,32,3f,3d,30,57,9f,5c,41,6c,13,00,00,00
"165"=hex:eb,47,00,00,cc,c2,f4,f3,ec,ea,9e,81,cc,8d,86,bd,14,00,00,00
"166"=hex:ab,04,00,00,86,93,b2,bd,b9,a4,1b,10,0c,cd,c6,fd,14,00,00,00
"167"=hex:42,07,00,00,21,3b,10,1d,13,16,75,bd,72,67,42,13,00,00,00
"168"=hex:0d,0a,00,00,ee,1c,d6,2d,ce,c4,b8,a3,ee,af,60,9f,14,00,00,00
"169"=hex:23,21,00,00,1e,1b,2a,25,31,2c,93,98,84,55,7e,65,14,00,00,00
"170"=hex:85,26,00,00,62,74,5d,5e,5c,53,36,7e,3f,20,0f,13,00,00,00
"171"=hex:d2,3c,00,00,af,a8,9b,9a,86,fd,c0,c9,d5,ea,af,da,14,00,00,00
"172"=hex:01,41,00,00,e6,f8,d1,c2,d0,d7,aa,e2,b3,a4,83,13,00,00,00
"173"=hex:96,44,00,00,91,97,59,a4,b1,bf,c3,3a,11,26,eb,16,14,00,00,00
"174"=hex:69,76,00,00,44,51,70,63,7f,6a,59,56,42,13,04,23,14,00,00,00
"175"=hex:34,79,00,00,33,05,02,0f,2d,20,67,af,4c,71,7c,13,00,00,00
"176"=hex:cb,7b,00,00,ac,a2,94,93,8c,8a,fe,e1,2c,ed,a6,dd,14,00,00,00
"177"=hex:4d,02,00,00,20,2d,1c,1f,1b,06,45,b2,ae,6f,20,5f,14,00,00,00
"178"=hex:7e,05,00,00,65,7f,54,41,57,5a,29,61,36,2b,06,13,00,00,00
"179"=hex:14,08,00,00,17,15,df,2a,37,3d,41,b8,97,a4,69,94,14,00,00,00
"180"=hex:35,29,00,00,08,05,04,37,23,1e,ad,aa,b6,47,48,77,14,00,00,00
"181"=hex:cc,2b,00,00,ab,ad,9a,97,85,88,ff,37,e4,99,d4,13,00,00,00
"182"=hex:97,2e,00,00,90,96,58,a7,b0,be,c2,35,10,21,ea,11,14,00,00,00
"183"=hex:34,5b,00,00,09,0a,05,34,20,1f,a2,ab,b7,44,49,74,14,00,00,00
"184"=hex:fe,5e,00,00,e5,ff,d4,c1,d7,da,a9,e1,b6,ab,86,13,00,00,00
"185"=hex:c7,63,00,00,a0,a6,88,97,80,8e,f2,e5,20,f1,da,c1,14,00,00,00
"186"=hex:de,50,00,00,d3,dc,ef,ee,8a,f1,d4,dd,d9,9e,b3,ae,14,00,00,00
"187"=hex:aa,53,00,00,89,93,b8,b5,bb,ae,dd,15,da,ff,ea,13,00,00,00
"188"=hex:40,56,00,00,3b,29,03,1e,1b,11,75,6c,bb,78,5d,48,14,00,00,00
"189"=hex:f2,2a,00,00,cf,c8,fb,fa,e6,dd,e0,e9,f5,8a,8f,ba,14,00,00,00
"190"=hex:54,2e,00,00,53,25,62,6f,0d,00,07,4f,6c,11,5c,13,00,00,00
"191"=hex:1e,32,00,00,19,0f,21,3c,39,37,4b,b2,99,5e,73,6e,14,00,00,00
"192"=hex:a5,64,00,00,98,95,b4,a7,b3,ae,1d,1a,06,d7,f8,e7,14,00,00,00
"193"=hex:6e,68,00,00,75,4f,44,71,67,6a,19,51,06,3b,36,13,00,00,00
"194"=hex:38,6c,00,00,33,31,3b,06,13,19,6d,54,b3,40,55,70,14,00,00,00
"195"=hex:33,50,00,00,0e,0b,3a,35,21,1c,a3,a8,b4,45,4e,75,14,00,00,00
"196"=hex:fd,55,00,00,fa,fc,d5,c6,d4,db,ae,e6,b7,a8,87,13,00,00,00
"197"=hex:2b,5b,00,00,0c,02,34,33,2c,2a,5e,41,8c,4d,46,7d,14,00,00,00
"198"=hex:5e,4b,00,00,53,5c,6f,6e,0a,71,54,5d,59,1e,33,2e,14,00,00,00
"199"=hex:8f,50,00,00,94,6e,a7,50,46,45,38,70,21,da,11,13,00,00,00
"200"=hex:ef,54,00,00,c8,fe,f0,cf,e8,e6,9a,9d,c8,89,82,b9,14,00,00,00
"201"=hex:e0,6f,00,00,dd,de,e9,e8,f4,f3,d6,df,db,98,bd,a8,14,00,00,00
"202"=hex:a8,74,00,00,8f,91,be,bb,b9,ac,d3,1b,d8,fd,e8,13,00,00,00
"203"=hex:a2,79,00,00,85,8b,ad,b8,a5,b3,d7,ce,05,da,ff,ea,14,00,00,00
"204"=hex:de,6f,00,00,d3,dc,ef,ee,8a,f1,d4,dd,d9,9e,b3,ae,14,00,00,00
"205"=hex:a7,74,00,00,8c,96,bf,b8,be,ad,d0,18,d9,c2,e9,13,00,00,00
"206"=hex:6f,79,00,00,48,7e,70,4f,68,66,1a,1d,48,09,02,39,14,00,00,00
"207"=hex:4e,09,00,00,23,2c,1f,1e,1a,01,44,4d,a9,6e,23,5e,14,00,00,00
"208"=hex:47,0e,00,00,2c,36,1f,18,1e,0d,70,b8,79,62,49,13,00,00,00
"209"=hex:de,13,00,00,d9,cf,e1,fc,f9,f7,8b,f2,d9,9e,b3,ae,14,00,00,00
"210"=hex:40,45,00,00,3d,3e,09,08,14,13,b6,bf,bb,78,5d,48,14,00,00,00
"211"=hex:d4,49,00,00,d3,a5,e2,ef,8d,80,87,cf,ec,91,dc,13,00,00,00
"212"=hex:9d,4e,00,00,9e,8c,a6,bd,be,b4,c8,33,1e,df,f0,ef,14,00,00,00
"213"=hex:64,72,00,00,59,5a,75,64,70,6f,52,5b,47,14,39,24,14,00,00,00
"214"=hex:f9,76,00,00,fe,c0,c9,ca,e8,df,a2,ea,8b,ac,bb,13,00,00,00
"215"=hex:90,7b,00,00,6b,99,53,ae,4b,41,c5,3c,6b,28,ed,18,14,00,00,00
"216"=hex:8d,1d,00,00,60,6d,5c,5f,5b,46,05,72,6e,2f,e0,1f,14,00,00,00
"217"=hex:8a,22,00,00,69,73,58,55,5b,4e,3d,75,3a,df,0a,13,00,00,00
"218"=hex:83,27,00,00,64,6a,4c,5b,44,52,36,29,64,35,1e,05,14,00,00,00
"219"=hex:0f,06,00,00,e2,ef,de,d9,c5,c0,87,8c,e8,a9,62,99,14,00,00,00
"220"=hex:a6,0b,00,00,8d,97,bc,b9,bf,b2,d1,19,de,c3,ee,13,00,00,00
"221"=hex:9f,10,00,00,98,8e,a0,bf,b8,b6,ca,cd,18,d9,f2,e9,14,00,00,00
"222"=hex:fa,04,00,00,f7,c0,c3,f2,ee,d5,e8,e1,fd,82,97,b2,14,00,00,00
"223"=hex:5c,0a,00,00,5b,5d,6a,67,75,78,0f,47,14,09,24,13,00,00,00
"224"=hex:8a,0f,00,00,6d,63,55,50,4d,4b,3f,26,6d,32,e7,02,14,00,00,00
"225"=hex:97,18,00,00,6a,67,a6,51,4d,b8,0f,04,10,21,ea,11,14,00,00,00
"226"=hex:91,1f,00,00,96,68,a1,52,40,47,3a,72,23,d4,13,13,00,00,00
"227"=hex:bf,24,00,00,b8,ae,80,9f,98,96,ea,ed,38,f9,d2,c9,14,00,00,00
"228"=hex:a0,25,00,00,9d,9e,a9,a8,b4,b3,16,1f,1b,d8,fd,e8,14,00,00,00
"229"=hex:97,2e,00,00,9c,66,af,a8,4e,bd,c0,08,29,d2,19,13,00,00,00
"230"=hex:f7,35,00,00,f0,f6,f8,c7,d0,de,a2,95,f0,81,8a,b1,14,00,00,00
"231"=hex:53,46,00,00,2e,2b,1a,15,01,7c,43,48,54,65,2e,55,14,00,00,00
"232"=hex:4e,4c,00,00,55,2f,64,11,07,0a,79,b1,66,1b,56,13,00,00,00
"233"=hex:46,52,00,00,21,27,09,14,01,0f,73,6a,a1,76,5b,46,14,00,00,00
*********************************************
Fichiers détectés :
C:\WINDOWS\balloon.wav Présent !
C:\WINDOWS\rdt.ini Présent !
*********************************************
Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe
C:\WINDOWS\System32
*********************************************
Recherche presence hclean32.exe...
non trouvé...
---------------
log hijack :
---------------
Logfile of HijackThis v1.99.1
Scan saved at 15:35:37, on 03/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
D:\software\PeerGuardian 2 Beta\pg2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Raccourci vers pg2.lnk = D:\software\PeerGuardian 2 Beta\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80F726-26A6-4EED-B754-3DC2458B4708}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A7436A0-A80E-4B10-9E83-F04356E9678D}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B6A33F9-29BD-49FB-A6DF-77E5098E2E6E}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E145BB1-A896-48E0-875A-DC39CA86A286}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{87FBC40E-D3FA-4C12-A0FD-84AF102B52D7}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
--------------------
RAPPORT SilentRunner
---------------------
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"Miramar Systems, Inc." = "C:\Program Files\Miramar\PC MACLAN\atmsg.exe" ["Miramar Systems Inc."]
"EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
"dmtol.exe" = "C:\WINDOWS\system32\dmtol.exe" [file not found]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]
"hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csmaj.exe" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Miramar_AppleTalk\(Default) = "{327700A0-1ABB-11CF-BD20-4CAA03C10000}"
-> {CLSID}\InProcServer32\(Default) = "atshel32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
MiramarNPMenu\(Default) = "{EA075FE0-9229-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atnp32.dll" ["Miramar Systems Inc."]
Miramar_Printers\(Default) = "{36C959A0-7CF9-11CF-AEEE-00AA00A06FE4}"
-> {CLSID}\InProcServer32\(Default) = "atpp32.dll" ["Miramar Systems Inc."]
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Pierrot (Admin)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Pierrot (Admin)" & "All Users" startup folders:
-----------------------------------------------------------------
C:\Documents and Settings\Pierrot (Admin)\Menu Démarrer\Programmes\Démarrage
"Raccourci vers pg2" -> shortcut to: "D:\software\PeerGuardian 2 Beta\pg2.exe" ["Methlabs"]
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Lancement rapide d'Adobe Reader" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"SonicWALL VPN Client" -> shortcut to: "C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe" ["SafeNet"]
Enabled Scheduled Tasks:
------------------------
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 1 line
HOSTS file
----------
C:\WINDOWS\System32\drivers\etc\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AppleTalk Messenger, ATMsg, "C:\Program Files\Miramar\PC MACLAN\ATMsg.exe -service" ["Miramar Systems Inc."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
Miramar AppleTalk Print Server, Miramar AppleTalk Print Server, ""c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE"" ["Miramar Systems Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SafeNet IKE Service, IreIKE, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe"" ["SafeNet"]
SafeNet Monitor Service, IPSECMON, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe"" ["SafeNet"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 26 seconds, including 8 seconds for message boxes)