spysheriff et d'autres.

Question

bonjour a tous,
je suis dans un cyber pour essayer de reparer mon ordi.
N'arrivant pas a bout des spywares, j'ai reformaté mon disque C mais dès que je me suis reconnecté pour mettre a jour norton, les premieres fenetres cf affichage des messages apparaissent.Norton m'a repéré plusieurs infections de spysheriff sans rien pourvoir faire,adaware m'a signalé torpig, spysheriff, spywareNo, smitfraud...
Apres avoir fait les nettoyages possibles en mode ss echec, spybot,adaware et norton ne trouve plus rien (j'ai enlevé manuellement secure32). Mais les problemes sont toujours la, je ne peux pas extraire le service pack 2 que j'ai telechargé, pas de page internet...en gros, aucune application ne s'ouvre!
Au secours!
Merci d'avance,
Laurent

Afficher la suite

green day · Answer

Salut

# Télécharge ceci: (merci a S!RI pour ce petit programme).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Exécute le, Double click sur Smitfraudfix.cmd choisit l’option 1,
voila a quoi cela ressemble : http://siri.urz.free.fr/Fix/SmitfraudFix.php
il va générer un rapport : copie/colle le sur le poste stp.

++

laurentired · Answer

Super de me répondre!Je ne comprends pas, ce n'est pas la 1ere fois que je l'utilise mais la je n'arrive pas a obtenir de rapport! que faire?

green day · Answer

as tu un message d'erreur ???++

laurentired · Answer

dsl green day, je ne pouvais pas l'ouvrir sur mon ordi (??) mais sur le fixe ca marche, voici donc le rapport:

SmitFraudFix v2.64

Rapport fait à 15:09:11,57, 23/06/2006
Executé à partir de C:\Documents and Settings\enzo\Bureau\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\uniq PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\enzo\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{242B4099-2E93-4b02-8AB5-74EDCDF497FA}"="er6t345323"

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

laurentired · Answer

yop, non, pas de message d'alerte, mais un peu plus tot, j'en avais un qui me signalait qu'un fichier ne pouvait etre "read"..

green day · Answer

c'est bien le rapport du PC "malade" ???

# Démarre en mode sans échec :
Pour cela, tu tapotes la touche F8 dès le début de l’allumage du pc sans t’arrêter
Une fenêtre va s’ouvrir tu te déplaces avec les flèches du clavier sur démarrer en mode sans échec puis tape entrée.
Une fois sur le bureau s’il n’y a pas toutes les couleurs et autres c’est normal !
(Si F8 ne marche pas utilise la touche F5).
----------------------------------------------------------------------------
# Relance le programme Smitfraud :
Cette fois choisit l’option 2, répond oui a tous ;
Sauvegarde le rapport, Redémarre en mode normal, copie/colle le rapport sauvegardé sur le forum

ensuite :

Télécharge ceci :

Lien : http://www.infos-du-net.com/telecharger/HijackThis.html

Démo : http://pageperso.aol.fr/balltrap34/demohijack.htm

Choisir l'option "do a scan and a logfile", et faire un copier/coller du rapport ainsi générer sur le forum.

bon courage; @+

laurentired · Answer

Sans que je ne fasse rien, un message d'erreur d'application s'affiche: la mémoire 0*00BB0f40 ne peut pas etre "read".Je sais pas si ca fait avancer le schmilblick...

green day · Answer

re :)

as tu un parfeu ???

Relance HijackThis : choisis " do a scan only" coche la case devant les lignes ci-dessous et clique en bas sur "fix checked" :

O4 - HKLM\..\Run: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe
O4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe

O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)

*Telecharge et installe ceci, dans la colonne de gauche clique sur "erreurs" coche toute les cases, puis clique en bas sur "chercher des erreurs" une fois finit, clique sur "reparer les erreurs" et tu aura un message pour sauvegarder ta base de registre tu dis "oui" puis tu recommences jusqu'a ce qu'il te trouve plus d'erreurs .

*Relance Ccleaner ,vas dans l'onglet "nettoyeur" present sur la gauche, decoche la derniere case (Avancé si elle
est cochée) puis clique sur "lancer le nettoyage"

https://www.01net.com/telecharger/windows/Utilitaire/nettoyeurs_et_installeurs/fiches/32599.html

tuto: https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php

ensuite fais le 1/ et 2/ de ce lien stp :

virus methode preliminaire de desinfection version fr

precise tes soucis s'il en reste

@+

***j'ai decidé d'être heureux parce que c'est bon pour la santé ! ( Voltaire )***

laurentired · Answer

pour ce qui est du virus en ligne, ca va etre difficile etant donné que je n'ai pas internet avec mon portable malade. je pourrais reessayer de me connecter en revenant chez moi, mais ce n'est pas donné!

laurentired · Answer

pareil pour ewido, je ne parviens pas a le lancer sur mon ordi...

green day · Answer

re

ok, essaye de passer ewido en mode sans echec ( redemarre en appuillant sur F8)

++

PS : Regis, si tu passes par là, est ce que le prog pour retablir la connexion pourrait marcher dans ce cas ???

incognito02 · Answer

Re,

Je pense que c est l infection qui bloque la connection.

Tu peux faire ceci?

HijackThis -> Open the misc tools sections -> open Uninstall manager -> clique sur "Save list" -> enregistre le fichier -> fais-en un copier/coller ici.

Pour Green day, tu sais tu peux toujours essayer, avec de la chance, la connection peut revenir avec le programme. Normalement c est pour new net mais peut etre que c est cette infection qui est presente, donc essaie ;-)

green day · Answer

oui, en effet :)

laurentired · Answer

Bonjour Green day,
Je peux de nouveau utiliser ma connection mais ca reste aléatoire. Pareil pour l'ouverture d'application: en insistant ca marche parfois. J'ai un nouveau pare feu depuis que j'ai reformaté, mais je ne sais pas bien m'en servir (faut que je me chope un tuto) c'est Softperfect perso.
Voici donc le rapport scan d'ewido fait en mode normal et la liste hijackthis requise.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:28:36 24/06/2006

+ Scan result:

C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002831.exe -> Adware.Spysheriff : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003852.exe -> Adware.Spysheriff : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002856.exe -> Dropper.MultiJoiner.13.h : No action taken.
C:\kpswxi.exe -> Dropper.MultiJoiner.13.h : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP12\A0008966.dll -> Proxy.Agent.km : No action taken.
C:\WINDOWS\system32\__delete_on_reboot____z_s_k_w_r_k_n_i_0_4_`_]_f_x_a_b_j___p_[_u_z_t_x_i_q_._d_l_l_ -> Proxy.Agent.km : No action taken.
[1048] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1072] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1164] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1256] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1264] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1312] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1348] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1416] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1432] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1588] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1772] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[188] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[1996] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[2004] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[2900] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[476] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[480] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[576] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[656] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[660] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[796] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[804] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[824] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[868] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
[880] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.dll -> Proxy.Agent.km : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002824.exe -> Proxy.Small.bo : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003845.exe -> Proxy.Small.bo : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002859.dll -> Proxy.Small.ct : No action taken.
C:\WINDOWS\system32\vjeojhvro.dll -> Proxy.Small.ct : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002839.exe -> Proxy.Wopla.r : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002840.dll -> Proxy.Wopla.s : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002852.exe -> Trojan.Sinowal.aa : No action taken.
C:\qygm.exe -> Trojan.Sinowal.aa : No action taken.

::Report end

Acer eManager
Ad-Aware SE Personal
Adobe Premiere Pro 1.5
Adobe Reader 6.0
Aspire Arcade 3.0
ATI - Utilitaire de désinstallation du logiciel
ATI Control Panel
ATI Display Driver
CC_ccStart
ccCommon
CleanUp!
Conexant AC-Link Audio
Correctif Windows XP - KB890859
ewido anti-spyware 4.0
HijackThis 1.99.1
Indeo® Software
Launch Manager
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Microsoft Office Professional Edition 2003
Mise à jour de sécurité pour Lecteur Windows Media (KB911564)
Mise à jour de sécurité pour Lecteur Windows Media 9 (KB917734)
Mise à jour de sécurité pour Windows XP (KB896423)
Mise à jour de sécurité pour Windows XP (KB896428)
Mise à jour de sécurité pour Windows XP (KB908519)
Mise à jour de sécurité pour Windows XP (KB913580)
Mise à jour de sécurité pour Windows XP (KB914389)
Mise à jour pour Windows XP (KB898461)
Mise à jour pour Windows XP (KB910437)
MSRedist
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
NTI Backup NOW! 3
NTI CD & DVD-Maker Gold
PowerProducer
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy 1.4
Symantec Script Blocking Installer
SymNet
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
Windows Installer 3.1 (KB893803)
Windows XP Service Pack 2

Voila tout. Merci encore pour l'interet porté a ma lourde croix!

incognito02 · Answer

SalutRelance ewido et a chaque alerte, tu met pas ignorer mais SUPPRIMER.Puis donne le rapporta+

laurentired · Answer

Salut,
le premier scan, j'avais suivi la recommend action sans rien toucher. La j'ai voulu le forcer a supprimer mais une feneter me dit que si je ne suis pas ce qui est suggéré, ca avortera. Donc j'ai laissé ewido envoyer les menaces les plus importantes en quarantaine.
J'espere que je ne fais pas trop de conneries;

Sinon mon ordi va mieux mais s'il se met en ecran de veille, apres je suis obligé de le rallumer.

En attente des nouvelles directives,
merci bien.

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:49:03 24/06/2006

+ Scan result:

C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP12\A0008970.exe -> Dropper.MultiJoiner.13.h : No action taken.
C:\WINDOWS\system32\_zskwrkni04HRNQHMQMLFXFLDZA.dll -> Proxy.Agent.km : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP12\A0008968.dll -> Proxy.Small.ct : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@247realmedia[2].txt -> TrackingCookie.247realmedia : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@estat[1].txt -> TrackingCookie.Estat : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\enzo\Cookies\enzo@weborama[2].txt -> TrackingCookie.Weborama : No action taken.
C:\Recycled\Dc3.dll -> Trojan.Sinowal.aa : No action taken.
C:\Recycled\Dc4.dll -> Trojan.Sinowal.aa : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002832.exe -> Trojan.Sinowal.aa : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002853.dll -> Trojan.Sinowal.aa : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002854.dll -> Trojan.Sinowal.aa : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003853.exe -> Trojan.Sinowal.aa : No action taken.
C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP12\A0008969.exe -> Trojan.Sinowal.aa : No action taken.

::Report end

green day · Answer

Salut c'est le scan en ligne où c'est le rapport du logiciel que t'as télécharger ???++

laurentired · Answer

Salut,
désolé, j'ai du m'absenter sans prévenir.
Ce que j'ai mis précedemment était le scan du logiciel téléchargé.
J'ai fais le scan en ligne aussi, mais j'ai oublié de sauver le rapport, je l'ai donc refais et il retrouve proxy et trojans.
De plus, norton déconne bien, les mises a jour ne se font pas et je n'arrive pas a activer l'auto protect.
Voici le dernier rapport ci-dessous.

__________________________________________________
ewido security suite online scanner
https://www.avg.com/en-us/free-antivirus-download
__________________________________________________

Name: TrackingCookie.Bluestreak
Path: C:\Documents and Settings\enzo\Cookies\enzo@bluestreak[1].txt
Risk: Medium

Name: TrackingCookie.2o7
Path: C:\Documents and Settings\enzo\Cookies\enzo@msnportal.112.2o7[1].txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: C:\Documents and Settings\enzo\Cookies\enzo@serving-sys[1].txt
Risk: Medium

Name: Proxy.Agent.km
Path: C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP13\A0011268.dll
Risk: High

Name: Trojan.Sinowal.aa
Path: C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP13\A0011269.dll
Risk: High

Name: Trojan.Sinowal.aa
Path: C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP13\A0011270.dll
Risk: High

Merci encore, et bon courage!
@+

^^Marie^^ · Answer

Salut

pour avancer,
Salut green,

Installe Ccleaner :

Ccleaner : ( nettoyeur de registre, cookies+temps+tempos+prefetch+historique+etc..)
Télécharge ici :
https://www.ccleaner.com/ccleaner/download
Tutorial ici:
https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php

Tu redémarres et tu nous tiens au courant
Tu peux le garder dans tes favoris, et le faire de temps en temps

A++

laurentired · Answer

Bonjour a tous mes mousquetaires!

J'ai donc fait un ccleaner (nettoyage de registre ET recherche d'erreurs). Les choses ont maintenant l'air de bien se passer: norton est redevenu censé, pas de popups, je crois que le gros du mal est enlevé. Cependant, l'ordi a encore quelques difficultés quand il y a plusieurs fenetres: programmes qui ne répondent pas, fenetres qui ne se ferment pas completement et qui restent en transparence...
Malgré tout, je vois enfin le bout du tunnel.
Peut etre dois-je vous envoyer un rapport hijackthis pour voir si on peut dire que c'est résolu?

A vous,

Bonne journée.

^^Marie^^ · Answer

Slt,Peut etre dois-je vous envoyer un rapport hijackthis pour voir si on peut dire que c'est résoluExcellente idée.A++

laurentired · Answer

tintin, le voici:Logfile of HijackThis v1.99.1Scan saved at 12:10:48, on 25/06/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Aspire Arcade\PCMService.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Launch Manager\QtZgAcer.EXEC:\Program Files\Fichiers communs\Symantec Shared\ccApp.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\Acer\eManager\anbmServ.exeC:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\system32\wsfws.exeC:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton AntiVirus
avapsvc.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\enzo\Bureau\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.sfr.fr/offres-numericable.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [LaunchApp] AlaunchO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXEO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exeJ'ai toujours le probleme de la mise en veille qui reste bloquée, je suis obligé de l'eteindre et rallumer à chaque fois. Norton n'est pas tout a fait rationnel non plus (pb d'auto-protect a relancer a chaque fois, meme si je change les parametres de configuration).Grand merci, et a tout'

^^Marie^^ · Answer

Slt,De toi à moi, tu ne peux pas le virer Norton.... Tu l'as acheté??Perso, ton log ça va.A++

Kristopher · Answer

Salut enzo,Relance HijackThis puis coche et fixe cette ligne :O4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe--------------------------------------------------------------------------Puis fais ceci :Affiche tous les fichiers et dossiers : Clique sur "démarrer" -> "Panneau de configuration" -> "Outils" (tout en haut) -> "Options des dossiers..." -> "Affichage".Coche :  "afficher les fichiers et dossiers cachés" Décoche les cases : "masquer les fichiers protégés du système d'exploitation (recommandé)" "masquer les extensions dont le type est connu" Clique sur "Appliquer", puis "Ok"--------------------------------------------------------------------------- Rends toi sur http://www.virustotal.com/flash/index_en.htmlClique sur "Parcourir..." et cherche le fichier en gras :C:\WINDOWS\system32\wsfws.exeClique sur "Send" et attends un instant.Copie/colle le rapport sur le forum.a+

laurentired · Answer

Bonjour a tous,Marie, Norton je l'ai craqué.Kristopher, j'ai fait ce que tu m'as dit, et voici le rapport virustotal pour le fichier wsfws.exe. AntiVir	6.35.0.16	06.26.2006	HEUR/Malware.FKMAuthentium	4.93.8	06.23.2006	no virus foundAvast	4.7.844.0	06.23.2006	Win32:Trojano-3428AVG	386	06.25.2006	no virus foundBitDefender	7.2	06.26.2006	no virus foundCAT-QuickHeal	8.00	06.24.2006	(Suspicious) - DNAScanClamAV	devel-20060426	06.26.2006	no virus foundDrWeb	4.33	06.26.2006	Win32.HLLW.MyBoteTrust-InoculateIT	23.72.49	06.25.2006	no virus foundeTrust-Vet	12.6.2275	06.26.2006	no virus foundEwido	3.5	06.26.2006	no virus foundFortinet	2.77.0.0	06.26.2006	no virus foundF-Prot	3.16f	06.23.2006	no virus foundIkarus	0.2.65.0	06.26.2006	no virus foundKaspersky	4.0.2.24	06.26.2006	no virus foundMcAfee	4792	06.23.2006	no virus foundMicrosoft	1.1481	06.25.2006	no virus foundNOD32v2	1.1623	06.26.2006	a variant of IRC/SdBotNorman	5.90.21	06.26.2006	no virus foundPanda	9.0.0.4	06.25.2006	W32/Sdbot.HPF.wormSophos	4.07.0	06.26.2006	no virus foundSymantec	8.0	06.26.2006	no virus foundTheHacker	5.9.8.165	06.26.2006	no virus foundUNA	1.83	06.23.2006	no virus foundVBA32	3.11.0	06.26.2006	Win32.HLLW.MyBotVirusBuster	4.3.7:9	06.25.2006	no virus foundAditional InformationFile size: 174080 bytesMD5: e289078270abc8c7f03eea3e9d0eb979SHA1: 36eed7ab689691b72449bd645a53b7f03478f3d4Merci a vous,A tout'

^^Marie^^ · Answer

Slt,Marie, Norton je l'ai craqué. Tu aurais dû craqué autre chose.........C'est pas trop la politique de la maison le crack .....A++

laurentired · Answer

re,Au depart, je l'avais avec l'ordi mais j'ai paumé le CD d'insta, donc j'ai une certaine légitimité... Tu penses qu'un autre antivirus serait mieux?@+

^^Marie^^ · Answer

re,ici : en plus Norton c'est une vraie passoire, donc tu n'as rien à perdre d'en mettre un gratos comme Avastantivirus gratuit lequel choisirA++

Kristopher · Answer

Re man,- Redémarre le PC en mode "sans échec" : tu tapotes sur la touche F8 de ton clavier (ou bien F5 selon la version de Windows) et tu choisis le mode "sans échec".Puis cherche et supprime le fichier en gras :C:\WINDOWS\system32\wsfws.exeEnsuite redémarre ne mode normal et :Scanne ton PC avec cet antivirus en ligne : https://www.kaspersky.fr/downloads  - Choisis "Kaspersky Online Scanner" - Clique sur "Accept" -> "Next" -> "My computer" - Laisse le scan se faire et copie/colle le rapport ici (si infecté)Sache enfin (et retiens bien dans ta tête) que c'est très dangereux d'avoir des logiciels crack'é sur son PC, et surtout les logiciels de base tel un antivirus (le plus important logiciel de sécurité).Installe Avast!, gratos et pas mal du tout ;)Télécharge, mets à jour et scanne ton PC avec Avast! : https://www.avast.com/free-antivirus-download  Tutorial là : https://forums.cnetfrance.fr Désinstalle Norton avant bien évidemment...a+

laurentired · Answer

Bonsoir a tous,j'ai fait tout ce que vous m'avez suggéré, y compris changé d'antivirus, et  voici les résultats du scanner kaspersky. Apparemment il reste ENCORE du travail... Merci a tous pour vos précieux conseils d'experts!   KASPERSKY ONLINE SCANNER REPORTMonday, June 26, 2006 10:34:44 PMOperating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)Kaspersky Online Scanner version: 5.0.83.0Kaspersky Anti-Virus database last update: 26/06/2006Kaspersky Anti-Virus database records: 190854Scan SettingsScan using the following antivirus database 	standardScan Archives 	trueScan Mail Bases 	trueScan Target 	My ComputerC:\D:\E:\Scan StatisticsTotal number of scanned objects 	47145Number of viruses found 	4Number of infected objects 	18 / 0Number of suspicious objects 	0Duration of the scan process 	00:42:45Infected Object Name 	Virus Name 	Last ActionC:\WINDOWS\system32\config\system.LOG 	Object is locked 	skippedC:\WINDOWS\system32\config\software.LOG 	Object is locked 	skippedC:\WINDOWS\system32\config\default.LOG 	Object is locked 	skippedC:\WINDOWS\system32\config\SECURITY 	Object is locked 	skippedC:\WINDOWS\system32\config\SAM 	Object is locked 	skippedC:\WINDOWS\system32\config\SAM.LOG 	Object is locked 	skippedC:\WINDOWS\system32\config\SECURITY.LOG 	Object is locked 	skippedC:\WINDOWS\system32\config\SYSTEM 	Object is locked 	skippedC:\WINDOWS\system32\config\SOFTWARE 	Object is locked 	skippedC:\WINDOWS\system32\config\DEFAULT 	Object is locked 	skippedC:\WINDOWS\system32\config\SysEvent.Evt 	Object is locked 	skippedC:\WINDOWS\system32\config\AppEvent.Evt 	Object is locked 	skippedC:\WINDOWS\system32\config\SecEvent.Evt 	Object is locked 	skippedC:\WINDOWS\system32\config\Antivirus.Evt 	Object is locked 	skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA 	Object is locked 	skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR 	Object is locked 	skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP 	Object is locked 	skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP 	Object is locked 	skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER 	Object is locked 	skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP 	Object is locked 	skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP 	Object is locked 	skippedC:\WINDOWS\system32\CatRoot2\edb.log 	Object is locked 	skippedC:\WINDOWS\system32\CatRoot2	mp.edb 	Object is locked 	skippedC:\WINDOWS\system32\_zskwrkni04HRNQHMQMLFXFLDZA.exe 	Infected: Trojan-Proxy.Win32.Agent.km 	skippedC:\WINDOWS\Temp\_avast4_\Webshlock.txt 	Object is locked 	skippedC:\WINDOWS\Temp\ZLT05fb8.TMP 	Object is locked 	skippedC:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat 	Object is locked 	skippedC:\WINDOWS\Debug\PASSWD.LOG 	Object is locked 	skippedC:\WINDOWS\SchedLgU.Txt 	Object is locked 	skippedC:\WINDOWS\Internet Logs	vDebug.log 	Object is locked 	skippedC:\WINDOWS\Internet Logs\fwpktlog.txt 	Object is locked 	skippedC:\WINDOWS\Internet Logs\fwdbglog.txt 	Object is locked 	skippedC:\WINDOWS\Internet Logs\IAMDB.RDB 	Object is locked 	skippedC:\WINDOWS\Internet Logs\ACER-WB7UXMO8BJ.ldb 	Object is locked 	skippedC:\WINDOWS\WindowsUpdate.log 	Object is locked 	skippedC:\WINDOWS\SoftwareDistribution\ReportingEvents.log 	Object is locked 	skippedC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat 	Object is locked 	skippedC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat 	Object is locked 	skippedC:\Documents and Settings\NetworkService\NTUSER.DAT 	Object is locked 	skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 	Object is locked 	skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 	Object is locked 	skippedC:\Documents and Settings\NetworkService
tuser.dat.LOG 	Object is locked 	skippedC:\Documents and Settings\LocalService\NTUSER.DAT 	Object is locked 	skippedC:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat 	Object is locked 	skippedC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat 	Object is locked 	skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 	Object is locked 	skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 	Object is locked 	skippedC:\Documents and Settings\LocalService\Cookies\index.dat 	Object is locked 	skippedC:\Documents and Settings\LocalService
tuser.dat.LOG 	Object is locked 	skippedC:\Documents and Settings\enzo\NTUSER.DAT 	Object is locked 	skippedC:\Documents and Settings\enzo
tuser.dat.LOG 	Object is locked 	skippedC:\Documents and Settings\enzo\Local Settings\Historique\History.IE5\index.dat 	Object is locked 	skippedC:\Documents and Settings\enzo\Local Settings\Temporary Internet Files\Content.IE5\index.dat 	Object is locked 	skippedC:\Documents and Settings\enzo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 	Object is locked 	skippedC:\Documents and Settings\enzo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 	Object is locked 	skippedC:\Documents and Settings\enzo\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb 	Object is locked 	skippedC:\Documents and Settings\enzo\Cookies\index.dat 	Object is locked 	skippedC:\Program Files\Alwil Software\Avast4\DATAeport\Protection résidente.txt 	Object is locked 	skippedC:\Program Files\Alwil Software\Avast4\DATA\log
shield.log 	Object is locked 	skippedC:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws 	Object is locked 	skippedC:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log 	Object is locked 	skippedC:\Program Files\Alwil Software\Avast4\DATA\Avast4.db 	Object is locked 	skippedC:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat 	Object is locked 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002815.exe/stream/data0001 	Infected: Packed.Win32.Tibs 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002815.exe/stream 	Infected: Packed.Win32.Tibs 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002815.exe 	NSIS: infected - 2 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002858.exe 	Infected: Packed.Win32.Tibs 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003871.exe 	Infected: Trojan-Proxy.Win32.Wopla.r 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003872.exe 	Infected: not-virus:Hoax.Win32.Renos.dc 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003873.exe 	Infected: not-virus:Hoax.Win32.Renos.dc 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003874.exe 	Infected: not-virus:Hoax.Win32.Renos.dc 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003875.exe 	Infected: Trojan-Proxy.Win32.Wopla.r 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003876.exe 	Infected: not-virus:Hoax.Win32.Renos.dc 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003877.exe 	Infected: Trojan-Proxy.Win32.Wopla.r 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003878.exe 	Infected: Trojan-Proxy.Win32.Wopla.r 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003879.exe 	Infected: not-virus:Hoax.Win32.Renos.dc 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003880.exe 	Infected: Trojan-Proxy.Win32.Wopla.r 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0003881.exe 	Infected: Trojan-Proxy.Win32.Wopla.r 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP13\A0011425.exe 	Infected: Trojan-Proxy.Win32.Agent.km 	skippedC:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP15\change.log 	Object is locked 	skippedC:\xgptbvg.exe 	Infected: Packed.Win32.Tibs 	skippedD:\System Volume Information\MountPointManagerRemoteDatabase 	Object is locked 	skippedScan process completed.Bonne lecture,@+

laurentired · Answer

Salut tout le monde!A la suite du scan ci-dessus, j'ai fais un scan complet avec mon "brand new" avast et il m'a repéré des virus (3) win32 que j'ai mis en quarantaine. Je ne sais pas trop quelle est la marche a suivre maintenant.   A tres bientot,

green day · Answer

Salut à tous ! Enzo : remets un nouveau hijackthis stp ++

laurentired · Answer

coucou tt le monde, Cher Green day, voici le log.A tres bientot!Logfile of HijackThis v1.99.1Scan saved at 21:15:43, on 28/06/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Acer\eManager\anbmServ.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Aspire Arcade\PCMService.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Launch Manager\QtZgAcer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Documents and Settings\enzo\Bureau\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.sfr.fr/offres-numericable.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [LaunchApp] AlaunchO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXEO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [51¸ß¼¶ÉÏ´«×é¼þ] C:\Program Files\51.com\51UpdateManager.exeO4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exeO23 - Service: wsfws(wsfws) (wsfws) - Unknown owner - C:\WINDOWS\system32\wsfws.exe (file missing)

laurentired · Answer

salut a tous,J'ajoute une breve description de mes soucis restants (ca va dix fois mieux, je tiens avous le dire):si l'ordi se met en veille, impossible de le relancer, je suis alors obligé de le rebooter.La connexion internet reste un peu aléatoire, et zonealarm a mistérieusement disparu, je l'ai donc désinstallé et réinstallé, ce qui a fait l'affaire!J'attends votre réponse d'atant plus impatiemment que je suis libre pour travailler dessus aujourd'hui!@+ a todos.

Regis59 · Answer

Salut,Rend toi sur ce site :http://www.virustotal.com/xhtml/virustotal_en.html Clik sur parcourirRecherche ceci :C:\WINDOWS\system32\wsfws.exe Clik send et colle le rapport stpA+

laurentired · Answer

SALUT Regis,je ne retrouve pas ce fichier, j'avais pourtant déja fait cette manip...comprends pas!que faire?

Regis59 · Answer

Bonjour, Méthode à suivre dans l'ordre... ---------------------------------------------------------------------------- ¤Télécharge ces logiciels mais que tu n‘utilises pas tout de suite: 1/ Spybot S&D 1.4 <exécuter->tape: services.msc Double-clique: Service: wsfws Règle-le sur "Arrêté" et "Désactivé". ---------------------------------------------------------------------------- ¤ Lancer et exécuter Ewido pour un scan complet et copier/coller le rapport en forum. ---------------------------------------------------------------------------- ¤ Passe Ad-Aware et supprime tout ce qu’il trouve + supprime les quarantaines… ---------------------------------------------------------------------------- ¤ Passe Spybot et corrige tout ce qu’il trouve + vaccine + supprime les quarantaines… ------------------------------------------------------------------------------------------- ¤ Lance CCleaner. Suppression des fichiers temporaires Va dans la section "Options" situé dans la marge gauche. Va dans "Avancé" et décoche "Effacer uniquement les fichiers, du dossier Temp de Windows, plus vieux que 48 heures". Retourne ensuite dans la section "Nettoyeur" Fais bien attention de cocher toutes les cases dans la marge gauche (Internet Explorer/Windows Explorer/Système/Avancé) • Clique sur Analyse • Patiente le temps du scan, qui peut prendre un peu de temps si c'est la première fois. • Une fois le scan terminé, clique sur Lancer le Nettoyage Suppression des incohérence du registre • Clique sur l'icône Erreurs situés dans la marge à gauche. • Puis clique sur Analyser les erreurs • Patiente pendant que CCleaner scan ton registre. • Une fois le scan terminé, coche toutes les entrèes qu'il t'aura trouvée. • Tu peux cliquer ensuite sur Corriger les erreurs. Si tu n'est pas sur de ce que tu fais, tu peux choisir de sauvegarder les entrées cochées pour les restaurer ultérieurement ---------------------------------------------------------------------------- ¤ Vide ta Corbeille. ---------------------------------------------------------------------------- ¤ Redémarre en mode normal, relance Hijackthis et copie/colle un nouveau rapport sur le forum. Précise tes soucis s’il en reste.... Tiens-moi au courant A+

laurentired · Answer

re,donc j'ai fait tt ce que tu m'as de faire, spybot et adaware n'ontrien trouvé, et voici le rapport de hijackthis suivi du scan ewido (je ne respecte pas l'ordre chronologique).Logfile of HijackThis v1.99.1Scan saved at 19:20:21, on 29/06/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Aspire Arcade\PCMService.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Launch Manager\QtZgAcer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\Acer\eManager\anbmServ.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Documents and Settings\enzo\Bureau\HijackThis.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\system32\fxssvc.exeC:\Program Files\Alwil Software\Avast4\setup\avast.setupR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.sfr.fr/offres-numericable.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [LaunchApp] AlaunchO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXEO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exeO23 - Service: wsfws(wsfws) (wsfws) - Unknown owner - C:\WINDOWS\system32\wsfws.exe (file missing)---------------------------------------------------------ewido anti-spyware - Scan Report--------------------------------------------------------- + Created at:	18:49:08 29/06/2006 + Scan result:	C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP13\A0011425.exe -> Proxy.Agent.km : No action taken.C:\WINDOWS\system32\_zskwrkni04HRNQHMQMLFXFLDZA.exe -> Proxy.Agent.km : No action taken.:mozilla.15:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.:mozilla.16:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.:mozilla.17:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.:mozilla.18:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.:mozilla.19:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.C:\Documents and Settings\enzo\Cookies\enzo@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.:mozilla.30:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Adtech : No action taken.:mozilla.31:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Adtech : No action taken.:mozilla.23:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Bluestreak : No action taken.:mozilla.8:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.:mozilla.33:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Estat : No action taken.:mozilla.20:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.:mozilla.21:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.:mozilla.22:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.C:\Documents and Settings\enzo\Cookies\enzo@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP11\A0002858.exe -> Trojan.Small : No action taken.C:\xgptbvg.exe -> Trojan.Small : No action taken.::Report endVoila le tout!a tout' et merci bien!

^^Marie^^ · Answer

Salut,Juste en passantNo action taken-----> il n'a pas fonctionné....Tuto : http://mickael.barroux.free.fr/securite/tutoewido.htmlA++

laurentired · Answer

salut a tous,J'ai refait le scan  ewido et ce coup la ca a fonctionné me semble-t-il.voici le rapport:---------------------------------------------------------ewido anti-spyware - Scan Report--------------------------------------------------------- + Created at:	12:58:23 30/06/2006 + Scan result:	C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP16\A0015556.exe -> Proxy.Agent.km : Cleaned.:mozilla.17:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.:mozilla.18:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.:mozilla.19:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.:mozilla.20:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.:mozilla.21:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.:mozilla.7:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.:mozilla.8:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.:mozilla.25:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.:mozilla.16:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.:mozilla.6:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.:mozilla.10:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Estat : Cleaned.:mozilla.22:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.:mozilla.23:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.:mozilla.24:C:\Documents and Settings\enzo\Application Data\Mozilla\Firefox\Profiles\9ecpji4n.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.C:\System Volume Information\_restore{C6DE8109-9D72-434C-A35E-FFA5FB4B228D}\RP16\A0015557.exe -> Trojan.Small : Cleaned.::Report end

^^Marie^^ · Answer

Salut,Ce sont des cookies, donc pas grave.Garde ce logiciel dans tes favoris :Ccleaner : ( nettoyeur de registre, cookies+temps+tempos+prefetch+historique+etc..)Télécharge ici :https://www.ccleaner.com/ccleaner/downloadTutorial ici:https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.phpTu le passes de temps en temps...A++

laurentired · Answer

et voici le scan hijackthis apres ewido:Logfile of HijackThis v1.99.1Scan saved at 13:03:04, on 30/06/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Aspire Arcade\PCMService.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Launch Manager\QtZgAcer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\Acer\eManager\anbmServ.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\Documents and Settings\enzo\Bureau\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.sfr.fr/offres-numericable.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [LaunchApp] AlaunchO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXEO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exeO23 - Service: wsfws(wsfws) (wsfws) - Unknown owner - C:\WINDOWS\system32\wsfws.exe (file missing)J'ai coché:O4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe.Pour le reste j'attends vos directives@+

laurentired · Answer

re,dois je fermer la discussion en la notant comme résolue?Certaines choses sont récurrentes (comme la ligne que j'ai coché dans le log hijackthis) mais je ne sais pas ce que ca implique. D'autre part, je ne remarque plus, pour l'instant, d'anomalie de fonctionnement.Quoiqu'il en soit, merci mille fois à tous!!!!a tout'

Regis59 · Answer

SalutPour moi c est pas propre:Telecharge cecihttps://www.silentrunners.org/Silent%20Runners.vbs Execute le,atends quelques minutes, il va creer ensuite un dossier juste a coté de silent runner sous format texte, copie/colle ce qu il te donneraA+

laurentired · Answer

salut Regis, je ne suis pas sur que ce soit ce que tu veux, quand je clique sur le lien, ce texte apparait directement; et en allant sur leur site, en cliquant sur download, j'obtiens la même. Donc le voila: 'Silent Runners.vbs -- find out what programs start up with Windows! ' 'DO NOT REMOVE THIS HEADER! ' 'Copyright Andrew ARONOFF 19 June 2006, https://www.silentrunners.org/ 'This script is provided without any warranty, either expressed or implied 'It may not be copied or distributed without permission ' '** YOU RUN THIS SCRIPT AT YOUR OWN RISK! ** 'HEADER ENDS HERE Option Explicit Dim strRevNo : strRevNo = "46" Public flagTest : flagTest = False 'True if testing 'flagTest = True 'Uncomment to test 'This script is divided into 28 sections. 'malware launch points: ' registry keys (I-XII, XV) ' INI/INF-files (XVI-XVIII) ' folders (XIX) ' enabled scheduled tasks (XX) ' Winsock2 service provider DLLs (XXI) ' IE toolbars, explorer bars, extensions (XXII) ' started services (XXVI) ' keyboard driver filters (XXVII) ' printer monitors (XXVIII) 'hijack points: ' System/Group Policies (XIV) ' prefixes for IE URLs (XXIII) ' misc IE points (XXIV) ' HOSTS file (XXV) 'Output is suppressed if deemed normal unless the -all parameter is used 'Sections XVIII & XXII-dormant Explorer Bars are skipped unless the -supp/-all ' parameters are used or the first message box is answered "No" ' I. HKCU/HKLM... Run/RunOnce/RunOnce\Setup ' HKLM... RunOnceEx/RunServices/RunServicesOnce ' HKCU/HKLM... Policies\Explorer\Run ' II. HKLM... Active Setup\Installed Components\ ' HKCU... Active Setup\Installed Components\ ' (StubPath <> "" And HKLM version # > HKCU version #) ' III. HKLM... Explorer\Browser Helper Objects\ ' IV. HKLM... Shell Extensions\Approved\ ' V. HKLM... Explorer\SharedTaskScheduler/ShellExecuteHooks ' VI. HKCU/HKLM... ShellServiceObjectDelayLoad\ ' VII. HKCU... Command Processor\AutoRun ((default) <> "") ' HKCU... Policies\System\Shell (W2K & WXP only) ' HKCU... Windows\load & run ((default) <> "") ' HKCU... Command Processor\AutoRun ((default) <> "") ' HKLM... Windows\AppInit_DLLs ((default) <> "") ' HKLM... Winlogon\Shell/Userinit/System/Ginadll/Taskman ' ((default) <> explorer.exe, userinit.exe, "", "", "") ' HKLM... Control\SafeBoot\Option\UseAlternateShell ' HKLM... Control\Session Manager\BootExecute ' HKLM... Control\Session Manager\WOW\cmdline, wowcmdline ' VIII. HKLM... Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data) ' IX. HKLM... Image File Execution Options\ (subkeys with name = "Debugger") ' X. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff ' XI. HKCU/HKLM Protocols\Filter ' XII. Context menu shell extensions ' XIII. HKCR executable file type (bat/cmd/com/exe/hta/pif/scr) ' (shell\open\command data <> "%1" %*; hta <> mshta.exe "%1" %*; scr <> "%1" /S) ' XIV. System/Group Policies ' XV. Enabled Wallpaper & Screen Saver ' XVI. WIN.INI (load/run <> ""), SYSTEM.INI (shell <> explorer.exe, scrnsave.exe), WINSTART.BAT ' XVII. AUTORUN.INF in root of fixed drive (open/shellexecute <> "") ' XVIII. DESKTOP.INI in any local fixed disk directory (section skipped by default) ' XIX. %WINDIR%... Startup & All Users... Startup (W98/WME) or ' %USERNAME%... Startup & All Users... Startup folder contents ' XX. Scheduled Tasks ' XXI. Winsock2 Service Provider DLLs ' XXII. Internet Explorer Toolbars, Explorer Bars, Extensions (dormant ' Explorer Bars section skipped by default) ' XXIII. Internet Explorer URL Prefixes ' XXIV. Misc. IE Hijack Points ' XXV. HOSTS file ' XXVI. Started Services ' XXVII. Keyboard Driver Filters 'XXVIII. Printer Monitors Dim Wshso : Set Wshso = WScript.CreateObject("WScript.Shell") Dim WshoArgs : Set WshoArgs = WScript.Arguments Dim intErrNum, intMB 'Err.Number, MsgBox return value Dim strflagTest : strflagTest = "" If flagTest Then strflagTest = "TEST " Wshso.Popup "Silent Runners is in testing mode.",1, _ "Testing, testing, 1-2-3...", vbOKOnly + vbExclamation End If 'Configuration Detection Section ' FileSystemObject creation error (112) ' CScript/WScript (147) ' Dim (161) ' GetFileVersion(WinVer.exe) (VBScript 5.1) (182) ' OS version (223) ' WMI (279) ' Dim (364) ' command line arguments (440) ' supplementary search MsgBox (532) ' startup MsgBox (557) ' CreateTextFile error (583) ' output file header (625) ' WXP SP2 (629) On Error Resume Next Dim Fso : Set Fso = CreateObject("Scripting.FileSystemObject") intErrNum = Err.Number : Err.Clear On Error Goto 0 If intErrNum <> 0 Then strURL = "https://docs.microsoft.com/en-us/" intMB = MsgBox (Chr(34) & "Silent Runners" & Chr(34) &_ " cannot access file services critical to" & vbCRLF &_ "proper script operation." & vbCRLF & vbCRLF &_ "If you are running Windows XP, make sure that the" &_ vbCRLF & Chr(34) & "Cryptographic Services" & Chr(34) &_ " service is started." & vbCRLF & vbCRLF &_ "You can also try reinstalling the latest version of the MS" &_ vbCRLF & "Windows Script Host." & vbCRLF & vbCRLF &_ "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_ "the download site or" & vbCRLF & Space(10) & Chr(34) & "Cancel" &_ Chr(34) & " to quit.", vbOKCancel + vbCritical, _ "Can't access the FileSystemObject!") 'if dl wanted now, send browser to dl site If intMB = 1 Then Wshso.Run strURL WScript.Quit End If Dim oNetwk : Set oNetwk = WScript.CreateObject("WScript.Network") Const HKLM = &H80000002, HKCU = &H80000001 Const REG_SZ=1, REG_EXPAND_SZ=2, REG_BINARY=3, REG_DWORD=4, REG_MULTI_SZ=7 Const MS = " [MS]" Const DQ = """" 'determine whether output is via MsgBox/PopUp or Echo Dim flagOut If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then flagOut = "W" 'WScript ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then flagOut = "C" 'CScript Else 'echo and continue if it works flagOut = "C" 'assume CScript-compatible WScript.Echo "Neither " & Chr(34) & "WSCRIPT.EXE" & Chr(34) & " nor " &_ Chr(34) & "CSCRIPT.EXE" & Chr(34) & " was detected as " &_ "the script host." & vbCRLF & Chr(34) & "Silent Runners" & Chr(34) &_ " will assume that the script host is CSCRIPT-compatible and will" & vbCRLF &_ "use WScript.Echo for all messages." End If 'script host Const SysFolder = 1 : Const WinFolder = 0 Dim strOS : strOS = "Unknown" Dim strOSLong : strOSLong = "Unknown" Dim strOSXP : strOSXP = "Windows XP Home" 'XP Home or Pro Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder Public strExeBareName 'bare file name w/o windows or system folder prefixes Dim strSysVer 'Winver.exe version number Dim intErrNum1, intErrNum2, intErrNum3, intErrNum4, intErrNum5, intErrNum6 'error number Dim intLenValue 'value length Dim strURL 'download URL Dim flagGP : flagGP = False 'assume Group Policies cannot be set in the O/S Dim intCLL : intCLL = 1 'CLSID Lower Limit, default is for O/S <= NT4 'Winver.exe is in \Windows under W98, but in \System32 for other O/S's 'trap GetFileVersion error for VBScript version < 5.1 On Error Resume Next If Fso.FileExists (strFPSF & "\Winver.exe") Then strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe") Else strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe") End If intErrNum = Err.Number : Err.Clear On Error Goto 0 'if old VBScript version If intErrNum <> 0 Then 'store dl URL strURL = "http://tinyurl.com/7zh0" 'if using WScript If flagOut = "W" Then 'explain the problem intMB = MsgBox ("This script requires VBScript 5.1 or higher " &_ "to run." & vbCRLF & vbCRLF & "The latest version of VBScript can " &_ "be downloaded at: " & strURL & vbCRLF & vbCRLF &_ "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_ "the download site or " & Chr(34) & "Cancel" & Chr(34) &_ " to quit." & vbCRLF & vbCRLF & "(WMI is also required. If it's " &_ "missing, download instructions will appear later.)", _ vbOKCancel + vbExclamation,"Unsupported VBScript Version!") 'if dl wanted now, send browser to dl site If intMB = 1 Then Wshso.Run strURL 'if using CScript Else 'flagOut = "C" 'explain the problem WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ "VBScript 5.1 or higher to run." & vbCRLF & vbCRLF &_ "It can be downloaded at: " & strURL End If 'WScript or CScript? 'quit the script WScript.Quit End If 'VBScript version error encountered? 'use WINVER.EXE file version to determine O/S If Instr(Left(strSysVer,3),"4.1") > 0 Then strOS = "W98" : strOSLong = "Windows 98" ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then strOS = "NT4" : strOSLong = "Windows NT 4.0" ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then strOS = "W98" : strOSLong = "Windows 95" ElseIf Instr(Left(strSysVer,8),"4.0.0.11") > 0 Then strOS = "W98" : strOSLong = "Windows 95 SR2 (OEM)" ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then strOS = "W2K" : strOSLong = "Windows 2000" : : intCLL = 0 : flagGP = True ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then 'SP0 & SP1 = 5.1.2600.0, SP2 = 5.1.2600.2180 strOS = "WXP" : strOSLong = "Windows XP" : intCLL = 0 If Instr(strSysVer,".2180") > 0 Then strOSLong = "Windows XP SP2" ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then strOS = "WME" : strOSLong = "Windows Me (Millennium Edition)" ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then strOS = "WXP" : strOSLong = "Windows Server 2003 (interpreted as Windows XP)" flagGP = True : intCLL = 0 Else 'unknown strSysVer If flagOut = "W" Then intMB = MsgBox ("The " & Chr(34) & "Silent Runners" & Chr(34) &_ " script cannot determine the operating system." & vbCRLF & vbCRLF &_ "Click " & Chr(34) & "OK" & Chr(34) & " to send an e-mail to the " &_ "author, providing the following information:" & vbCRLF & vbCRLF &_ "WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF &_ "or click " & Chr(34) & "Cancel" & Chr(34) & " to quit.", _ 49,"O/S Unknown!") If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_ "<%73%72.%6F%73.%76%65%72.%65%72%72%6F%72@%61%61%72%6F%6E%6F%66%66.%63%6F%6D>?" &_ "subject=Silent%20Runners%20OS%20Version%20Error&body=WINVER.EXE" &_ "%20file%20version%20=%20" & strSysVer Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_ "determine the operating system." & vbCRLF & vbCRLF & "This script will exit." End If 'flagOut? WScript.Quit End If 'OS id'd from strSysVer? 'use WMI to connect to the registry On Error Resume Next Dim oReg : Set oReg = GetObject("winmgmts:\root\default:StdRegProv") intErrNum = Err.Number : Err.Clear On Error Goto 0 'detect WMI connection error If intErrNum <> 0 Then strURL = "" 'for W98/NT4, assume WMI not installed and direct to d/l URL If strOS = "W98" Or strOS = "NT4" Then If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe" If strOS = "NT4" Then strURL = "http://tinyurl.com/7wd7" 'invite user to download WMI & quit If flagOut = "W" Then intMB = MsgBox ("This script requires " & Chr(34) & "WMI" &_ Chr(34) & ", Windows Management Instrumentation, to run." &_ vbCRLF & vbCRLF & "It can be downloaded at: " & strURL &_ vbCRLF & vbCRLF & "Press " & Chr(34) & "OK" & Chr(34) &_ " to direct your browser to the download site or " &_ Chr(34) & "Cancel" & Chr(34) & " to quit.",_ vbOKCancel + vbCritical,"WMI Not Installed!") If intMB = 1 Then Wshso.Run strURL 'at command line, explain & quit Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ Chr(34) & "WMI" & Chr(34) & ", Windows Management Instrumentation, " &_ "to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL End If 'for W2K Or WXP, explain how to start the WMI service ElseIf strOS = "W2K" Or strOS = "WXP" Then If strOS = "W2K" Then strLine = "Settings, " 'explain how to turn on WMI service If flagOut = "W" Then MsgBox "This script requires Windows Management Instrumentation" &_ " to run." & vbCRLF & vbCRLF & "Click on Start, " & strLine &_ "Control Panel, Administrative Tools, Services," & vbCRLF &_ "and start the " & Chr(34) & "Windows Management Instrumentation" &_ Chr(34) & " service.",vbOKOnly + vbCritical,"WMI Service not running!" 'at command line, explain & quit Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ "Windows Management Instrumentation to run." & vbCRLF & vbCRLF &_ "Click on Start, " & strLine & "Control Panel, Administrative " &_ " Tools, Services," & vbCRLF & "and start the " & Chr(34) &_ "Windows Management Instrumentation" & Chr(34) & " service." End If 'flagOut? Else 'WME 'say there's a WMI problem If flagOut = "W" Then MsgBox "This script requires WMI (Windows Management Instrumentation)" &_ " to run," & vbCRLF & "but WMI is not running correctly.", _ vbOKOnly + vbCritical,"WMI problem!" 'at command line, explain & quit Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ "WMI (Windows Management Instrumentation) to run," & vbCRLF &_ "but WMI is not running correctly." End If 'flagOut? End If 'which O/S? WScript.Quit End If 'WMI execution error 'array of Run keys, counter x 5, hive member, startup folder file, 'startup file shortcut, IERESET.INF file Dim arRunKeys, i, ii, j, k, l, oHiveElmt, oSUFi, oSUSC 'dictionary, keys, items, hard disk collection Dim arSK, arSKk, arSKi, colDisks 'arrays: Run key names, keys, sub-keys, value type, Protocol filters Dim arNames(), arKeys(), arSubKeys(), arType, arFilter() 'Sub-Directory DeskTop.Ini array, Sub-Directory Error array Public arSDDTI(), arSDErr() 'DeskTop.Ini counter, Error counter, Classes data Hive counter Public ctrArDTI, ctrArErr, ctrCH Public ctrFo : ctrFo = 0 'folder counter 'name member, key array member x 4, O/S, drive root directory, work file Dim oName, oKey, oKey2, strMemKey, strMemSubKey, oOS, oRoot, oFileWk 'values x 7 Dim strValue, strValue1, strValue2, strValue3, strValue4, strValue5, strValue6, intValue 'name, single character, startup folder name, startup folder, array member, temp var Dim strName, strChr, arSUFN, oSUF, strArMember, strTmp 'output string x 3 Public strOut, strOut1, strOut2 'output file msg x 2, warning string, title line Dim strLine, strLine1, strLine2, strWarn, strTitleLine Dim strKey, strKey1, strKey2, strKey3, strSubKey 'register key x 4, sub-key 'output file name string (incl. path), file name (wo path), 'PIF path string, single binary character Dim strFN, strFNNP, strPIFTgt, bin1C Public datLaunch : datLaunch = Now 'script launch time Public intCnt 'counter 'ref time, time taken by 2 pop-up boxes Public datRef : datRef = 0 Public datPUB1 : datPUB1 = 0 : Public datPUB2 : datPUB2 = 0 'TRUE if show all output (default values not filtered) Public flagShowAll : flagShowAll = False Dim strRptOutput : strRptOutput = "Output limited to non-default values, " &_ "except where indicated by " & Chr(34) & "{++}" & Chr(34) 'output file string Public strTitle : strTitle = "" Public strSubTitle : strSubTitle = "" Public strSubSubTitle : strSubSubTitle = "" Public flagNVP : flagNVP = False 'existence of name/value pairs in a key Public flagInfect : flagInfect = False 'flag infected condition Dim flagMatch 'flag matching keys Dim flagAllow 'flag key on approved list Dim flagFound 'flag key that exists in Registry Dim flagDirArg : flagDirArg = False 'presence of output directory argument Dim flagIsCLSID : flagIsCLSID = False 'true if argument in CLSID format Dim flagTitle 'True if title has already been written Dim flagAllArg : flagAllArg = False 'presence of all output argument Dim flagArray 'flag array containing elements Public flagSupp : flagSupp = False 'do *not* check for DESKTOP.INI in all 'directories of local fixed disks 'or for dormant Explorer Bars Dim intLBSP 'Last BackSlash Position in path string Dim intSS 'lowest sort subscript Dim intType 'value type Dim strDLL, strCN 'DLL name, company name 'string to signal all output by default Public strAllOutDefault : strAllOutDefault = "" Dim ScrPath : ScrPath = Fso.GetParentFolderName(WScript.ScriptFullName) If Right(ScrPath,1) <> "\" Then ScrPath = ScrPath & "\" 'initialize Path of Output File Folder to script path Dim strPathOFFo : strPathOFFo = ScrPath 'hive array Public arHives(1,1) arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM" arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002 'set up argument usage message string Dim strLSp, strCSp 'Leading Spaces, Centering Spaces strLSp = Space(4) : strCSp = Space(33) 'WScript spacing If flagOut = "C" Then 'CScript spacing strLsp = Space(3) : strCSp = Space(28) End If Dim strMsg : strMsg = "Only two arguments are permitted:" &_ vbCRLF & vbCRLF &_ "1. the name of an existing directory for the output report" &_ vbCRLF & strLSp & "(embed in quotes if it contains spaces)" &_ vbCRLF & vbCRLF & strCSp & "AND:" & vbCRLF & vbCRLF &_ "2. " & Chr(34) & "-supp" & Chr(34) & " to search " &_ "all directories for DESKTOP.INI DLL" & vbCRLF &_ strLSp & "launch points and all Registry CLSIDs for dormant" &_ vbCRLF & strLSp & "Explorer Bars" &_ vbCRLF & vbCRLF & strCSp & "-OR-" & vbCRLF & vbCRLF &_ "3. " & Chr(34) & "-all" & Chr(34) & " to output all non-empty " &_ "values and all launch" & vbCRLF & strLSp & "points checked" 'check if output directory or "-all" or "-supp" was supplied as argument If WshoArgs.length > 0 And WshoArgs.length <= 2 Then For i = 0 To WshoArgs.length-1 'if directory arg not already passed and arg directory exists If Not flagDirArg And Fso.FolderExists(WshoArgs(i)) Then 'get the path & toggle the directory arg flag Dim oOFFo : Set oOFFo = Fso.GetFolder(WshoArgs(i)) strPathOFFo = oOFFo.Path : flagDirArg = True If Right(strPathOFFo,1) <> "\" Then strPathOFFo = strPathOFFo & "\" Set oOFFo=Nothing 'if -all arg not already passed and is this arg ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-all" Then 'toggle ShowAll flag, toggle the all arg flag, fill report string flagShowAll = True : flagAllArg = True strRptOutput = "Output of all locations checked and all values found." 'if -all arg not already passed and is this arg ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-supp" Then flagSupp = True : flagAllArg = True strRptOutput = "Search enabled of all directories on local fixed " &_ "drives for DESKTOP.INI" & vbCRLF & " DLL launch points and of " &_ "all Registry CLSIDs for dormant Explorer Bars" & vbCRLF & strRptOutput 'argument can't be interpreted, so explain & quit Else If flagOut = "W" Then 'pop up a message window Wshso.Popup "The argument:" & vbCRLF &_ Chr(34) & UCase(WshoArgs(i)) & Chr(34) & vbCRLF &_ "... can't be interpreted." & vbCRLF & vbCRLF &_ strMsg,10,"Bad Script Argument", vbOKOnly + vbExclamation Else 'flagOut = "C" 'write the message to the console WScript.Echo vbCRLF & "The argument: " &_ Chr(34) & UCase(WshoArgs(i)) & Chr(34) &_ " can't be interpreted." & vbCRLF & vbCRLF &_ strMsg & vbCRLF End If 'WScript host? WScript.Quit End If 'argument can be interpreted? Next 'argument 'too many args passed ElseIf WshoArgs.length > 2 Then 'explain & quit If flagOut = "W" Then 'pop up a message window Wshso.Popup "Too many arguments (" & WshoArgs.length & ") were passed." &_ vbCRLF & vbCRLF & strMsg,10,"Too Many Arguments",_ vbOKOnly + vbCritical Else 'flagOut = "C" 'write the message to the console WScript.Echo "Too many arguments (" & WshoArgs.length & ") were passed." &_ vbCRLF & vbCRLF & strMsg & vbCRLF End If 'WScript host? WScript.Quit End If 'directory arguments passed? Set WshoArgs=Nothing datRef = Now 'if no cmd line argument for flagSupp and not testing, show popup If Not flagTest And Not flagShowAll And Not flagSupp And flagOut = "W" Then intMB = Wshso.Popup ("Do you want to skip the supplementary searches?" &_ vbCRLF & "(They typically take several minutes.)" & vbCRLF & vbCRLF &_ "Press " & Chr(34) & "Yes" & Chr(34) & Space(5) &_ " to skip the supplementary searches (default)" & vbCRLF & vbCRLF &_ Space(10) & Chr(34) & "No" & Chr(34) & Space(6) &_ " to perform them, or" & vbCRLF & vbCRLF &_ Space(10) & Chr(34) & "Cancel" & Chr(34) &_ " to get more information at the web site" & vbCRLF &_ Space(25) & "and exit the script.",_ 15,"Skip supplementary searches?",_ vbYesNoCancel + vbQuestion + vbDefaultButton1 + vbSystemModal) If intMB = vbNo Then flagSupp = True ElseIf intMB = vbCancel Then Wshso.Run "https://www.silentrunners.org/thescript.html#supp" WScript.Quit End If End If datPUB1 = DateDiff("s",datRef,Now) : datRef = Now 'inform user that script has started If Not flagTest Then If flagOut = "W" Then Wshso.PopUp Chr(34) & "Silent Runners" & Chr(34) & " has started." &_ vbCRLF & vbCRLF & "A message box like this one will appear " &_ "when it's done." & vbCRLF & vbCRLF & "Please be patient...",3,_ "Silent Runners R" & strRevNo & " startup", _ vbOKOnly + vbInformation + vbSystemModal Else WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " has started." &_ " Please be patient..." End If 'flagOut? End If 'flagTest? datPUB2 = DateDiff("s",datRef,Now) 'create output file name with computer name & today's date 'Startup Programs (pc_name_here) yyyy-mm-dd.txt strFNNP = "Startup Programs (" & oNetwk.ComputerName & ") " &_ FmtDate(datLaunch) & " " & FmtHMS(datLaunch) & ".txt" strFN = strPathOFFo & strflagTest & strFNNP On Error Resume Next If Fso.FileExists(strFN) Then Fso.DeleteFile(strFN) Err.Clear Public oFN : Set oFN = Fso.CreateTextFile(strFN,True) intErrNum = Err.Number : Err.Clear On Error Goto 0 'if can't create report file If intErrNum > 0 Then strURL = "https://www.silentrunners.org/Silent%20Runners%20RED.vbs" 'invite user to e-mail me & quit If flagOut = "W" Then intMB = MsgBox ("The script cannot create its report file. " &_ "This is a known, intermittent" & vbCRLF & "problem under " &_ strOSLong & "." & vbCRLF & vbCRLF &_ "An alternative script version is available for download. " &_ "After it runs, " & vbCRLF & "the script you're using now will " &_ "run correctly." & vbCRLF & vbCRLF &_ "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser " &_ "to the alternate script location, or" & vbCRLF & Space(10) &_ Chr(34) & "Cancel" & Chr(34) & " to quit.",49,"CreateTextFile Error!") 'if alternative script wanted now, send browser to dl site If intMB = 1 Then Wshso.Run strURL 'explain & quit Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_ "create the report file." & vbCRLF & vbCRLF &_ "An alternative script is available. Run it, then rerun this version." &_ vbCRLF & "The alternative script can be downloaded at: " & vbCRLF &_ vbCRLF & strURL End If WScript.Quit End If 'report file creation error? 'add report header Set oNetwk=Nothing oFN.WriteLine Chr(34) & "Silent Runners.vbs" & Chr(34) &_ ", revision " & strRevNo & ", https://www.silentrunners.org/" &_ vbCRLF & "Operating System: " & strOSLong & vbCRLF & strRptOutput 'test for WMI corruption and use WMI to differentiate between 'WXP Home & WXP Pro 'get the O/S collection Dim colOS : Set colOS = GetObject("winmgmts:\root\cimv2").ExecQuery _ ("Select * from Win32_OperatingSystem") On Error Resume Next Err.Clear For Each oOS in colOS If strOS = "WXP" Then 'modify strOSXP if O/S = Pro If InStr(1,LCase(oOS.Name),"professional",1) > 0 Then strOSXP = "Windows XP Professional" flagGP = True End If 'modify strOSXP if SP2 If Right(strOSLong,3) = "SP2" Then strOSXP = strOSXP & " SP2" End If 'WXP? Next 'oOS If Err.Number <> 0 Then strURL = "http://go.microsoft.com/fwlink/?LinkId=62562" oFN.WriteLine vbCRLF & "FATAL ERROR!" & vbCRLF & String(12,"-") &_ vbCRLF & vbCRLF & DQ & "Silent Runners" & DQ &_ " cannot use WMI to identify the operating system." &_ vbCRLF & "This is caused by corruption of the WMI installation." &_ vbCRLF & vbCRLF &_ "WMI is complex and it is recommended that you use a Microsoft" &_ vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_ "on your system." & vbCRLF & vbCRLF & "It can be downloaded here:" &_ vbCRLF & vbCRLF & strURL intMB = MsgBox (DQ & "Silent Runners" & DQ & " cannot use WMI to " &_ "identify the operating system." & vbCRLF & "This is caused by " &_ "corruption of the WMI installation." &_ vbCRLF & vbCRLF &_ "WMI is complex and it is recommended that you use a Microsoft" &_ vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_ "on your system." &_ vbCRLF & vbCRLF &_ "Press " & DQ & "OK" & DQ & " to direct your browser to the " &_ "WMIDiag download site or" &_ vbCRLF & Space(10) & DQ & "Cancel" & DQ & " to quit.",_ vbOKCancel + vbCritical + + vbSystemModal + vbDefaultButton2,_ "Can't iterate Win32_OperatingSystem!") 'if dl wanted now, send browser to dl site If intMB = 1 Then Wshso.Run strURL WScript.Quit End If 'Err.Number<>0? On Error Goto 0 Set colOS=Nothing 'I. Examine HKCU/HKLM... Run/RunOnce/RunOnceEx/RunServices/RunServicesOnce ' and HKCU/HKLM... Policies\Explorer\Run If Not flagTest Then 'skip if testing 'write registry header lines to file strTitle = "Startup items buried in registry:" TitleLineWrite 'put keys in array (Key Index 0 - 6) arRunKeys = Array ("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce") 'Key Execution Flag/Subkey Recursion Flag array ' 'first number in the ordered pair in the array immediately below ' pertains to execution of the key: '0: not executed (ignore) '1: may be executed so display with EXECUTION UNLIKELY warning '2: executable ' 'second number in the ordered pair pertains to subkey recursion '0: subkeys not used '1: subkey recursion necessary 'Hive HKCU - 0 HKLM - 1 ' 'Key 0 1 2 3 4 5 6 0 1 2 3 4 5 6 'Index ' 'O/S: 'W98 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0 'WME 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0 'NT4 1,0 2,0 2,0 0,0 0,0 0,0 0,0 1,0 2,0 2,0 1,0 2,1 0,0 0,0 'W2K 2,1 2,1 2,1 0,0 0,0 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0 'WXP 2,0 2,0 2,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 1,0 2,1 0,0 0,0 'WS2K3 ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? 'arRegFlag(i,j,k): put flags in array by O/S: 'hive = i (0 or 1), key_# = j (0-6), ' flags (key execution/subkey recursion) = k (0 or 1) ' k = 0 holds key execution value = 0/1/2 ' 1 holds subkey recursion value = 0/1 Dim arRegFlag() ReDim arRegFlag(1,6,1) 'initialize entire array to zero For i = 0 To 1 : For j = 0 To 6 : For k = 0 To 1 arRegFlag(i,j,k) = 0 Next : Next : Next 'add data to array for O/S that's running 'W98 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0 If strOS = "W98" Or strOS = "WME" Then arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn End If 'NT4 1,0 2,0 2,0 0,0 0,0 0,0 0,0 1,0 2,0 2,0 1,0 2,1 0,0 0,0 If strOS = "NT4" Then arRegFlag(0,0,0) = 1 'HKCU,Explorer\Run = warning arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(1,0,0) = 1 'HKLM,Explorer\Run = warning arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,3,0) = 1 'HKLM,RunOnce\Setup = warning arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'W2K 2,1 2,1 2,1 0,0 0,0 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0 If strOs = "W2K" Then arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(0,2,1) = 1 'HKCU,RunOnce = sub-keys arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,2,1) = 1 'HKLM,RunOnce = sub-keys arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'WXP 2,0 2,0 2,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 1,0 2,1 0,0 0,0 If strOs = "WXP" Then arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,3,0) = 1 'HKLM,RunOnce\Setup = warning arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'for each hive For i = 0 To 1 'for each key For j = 0 To 6 'if not ShowAll, show all output for Run keys If j = 1 And Not flagShowAll Then strAllOutDefault = " {++}" 'if key is not ignored If arRegFlag(i,j,0) > 0 Then flagNVP = False 'intialize string with warning if necessary strWarn = "" If arRegFlag(i,j,0) = 1 Then strWarn = "EXECUTION UNLIKELY: " 'with no name/value pairs (sub-keys are identical) ' IsArray TypeName UBound 'W98 True "Variant()" -1 'WME True "Variant()" -1 'NT4 True "Variant()" -1 'W2K False "Null" -- 'WXP False "Null" -- 'WS2K3 True "Variant()" -- EnumNVP arHives(i,1), arRunKeys(j), arNames, arType If flagNVP Then 'name/value pairs exist 'write the full key name oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\" & strAllOutDefault 'for each data type in the names array For k = LBound(arNames) To UBound(arNames) 'use the type to find the value strValue = RtnValue (arHives(i,1), arRunKeys(j), arNames(k), arType(k)) 'write the name & value WriteValueData arNames(k), strValue, arType(k), strWarn Next 'member of names array Else 'no name/value pairs If flagShowAll Then _ oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\" End If 'flagNVP? 'recurse subkeys if necessary If arRegFlag(i,j,1) = 1 Then 'put all subkeys into array oReg.EnumKey arHives(i,1),arRunKeys(j),arKeys 'excludes W2K/WXP with no sub-keys If IsArray(arKeys) Then 'excludes W98/WME/NT4/WS2K3 with no sub-keys For Each strMemKey in arKeys flagNVP = False strSubKey = arRunKeys(j) & "\" & strMemKey EnumNVP arHives(i,1), arRunKeys(j) & "\" & strMemKey,arNames,arType If flagNVP Then 'if name/value pairs exist 'write the full key name oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey & strAllOutDefault 'for each data type in the names array For k = LBound(arNames) To UBound(arNames) 'use the type to find the value strValue = RtnValue (arHives(i,1), strSubKey, arNames(k), arType(k)) 'write the name & value WriteValueData arNames(k), strValue, arType(k), strWarn Next 'member of names array Else 'no name/value pairs If flagShowAll Then _ oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey & "\" End If 'flagNVP? Next 'sub-key End If 'sub-keys exist? W2K/WXP/WS2K3 End If 'enum sub-keys? End If 'arRegFlag(i,j,0) > 0 Next 'Run key Next 'Hive strAllOutDefault = "" : flagNVP = False 'recover array memory ReDim arRunKeys(0) ReDim arKeys(0) ReDim arRegFlag(0) End If 'flagTest? 'II. Examine HKLM... Active Setup\Installed Components If Not flagTest Then 'skip if testing 'flags True if only numeric & comma chrs in Version values Dim flagHKLMVer, flagHKCUVer 'StubPath Value string, HKLM Version value, HKCU Version value, HKLM program name Dim strSPV, strHKLMVer, strHKCUVer, strPgmName Dim arHKLMKeys, arHKCUKeys, strHKLMKey, strHKCUKey strKey = "Software\Microsoft\Active Setup\Installed Components" strSubTitle = "HKLM" & "\" & strKey & "\" 'find all the subkeys oReg.EnumKey HKLM, strKey, arHKLMKeys 'HKLM oReg.EnumKey HKCU, strKey, arHKCUKeys 'HKCU 'enumerate HKLM keys if present If IsArray(arHKLMKeys) Then 'for each HKLM key For Each strHKLMKey In arHKLMKeys 'Default Value not set: 'W98/WME: returns 0, strValue = "" 'NT4/W2K/WXP: returns non-zero, strValue = Null 'Non-Default name inexistent: 'W98/WME/NT4/W2K/WXP: returns non-zero, strValue = Null 'Non-Default Value not set: 'W2K: returns 0, strValue = unwritable string 'W98/WME/NT4/WXP: returns 0, strValue = "" 'get the StubPath value intErrNum = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"StubPath",strSPV) 'if the StubPath name exists And value set (exc for W2K!) If intErrNum = 0 And strSPV <> "" Then flagMatch = False 'if HKCU keys present If IsArray(arHKCUKeys) Then 'for each HKCU key For Each strHKCUKey in arHKCUKeys 'if identical HKLM key exists If LCase(strHKLMKey) = LCase(strHKCUKey) Then 'assume Version fmts are OK flagHKLMVer = True : flagHKCUVer = True 'get HKLM & HKCU Version values intErrNum1 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey, _ "Version",strHKLMVer) 'HKLM Version # intErrNum2 = oReg.GetStringValue (HKCU,strKey & "\" & strHKCUKey, _ "Version",strHKCUVer) 'HKCU Version # 'if HKLM Version name exists And value set (exc for W2K!) If intErrNum1 = 0 And strHKLMVer <> "" Then 'the next two loops check for allowed chars (numeric & comma) ' in returned Version values For i = 1 To Len(strHKLMVer) strChr = Mid(strHKLMVer,i,1) If Not IsNumeric(strChr) And strChr <> "," Then flagHKLMVer = False Next 'if HKCU Version name exists And value set (exc for W2K!) If intErrNum2 = 0 And strHKCUVer <> "" Then 'check that value consists only of numeric & comma chrs For i = 1 To Len(strHKCUVer) strChr = Mid(strHKCUVer,i,1) If Not IsNumeric(strChr) And strChr <> "," Then flagHKCUVer = False Next End If 'HKCU Version null or MT? 'if HKLM Ver # has illegal fmt (i.e., is not assigned) or doesn't exist (is Null) ' or is empty, match = True 'if HKCU/HKLM Ver # fmts OK And HKCU Ver # >= HKLM Ver #, match = True 'if HKLM Ver # = "0,0" and HKCU Ver # = "", key will output ' but StubPath will not launch If Not flagHKLMVer Then flagMatch = True If flagHKLMVer And flagHKCUVer And strHKCUVer >= strHKLMVer Then flagMatch = True Else 'HKLM Version name doesn't exist Or value not set (exc for W2K!) flagMatch = True End If 'HKLM Version name exists And value set (exc for W2K!)? End If 'HKCU key=HKLM key? Next 'HKCU Installed Components key End If 'HKCU Installed Components subkeys exist? 'if the StubPath will launch If Not flagMatch Then flagAllow = False 'assume StubPath DLL not on approved list strCN = CoName(IDExe(strSPV)) 'test for approved StubPath DLL If LCase(strHKLMKey) = ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}" And _ (InStr(LCase(strSPV),"wmpocm.exe") > 0 Or _ InStr(LCase(strSPV),"unregmp2.exe") > 0) And _ strCN = MS And Not flagShowAll Then flagAllow = True 'StubPath DLL not approved If Not flagAllow Then 'get the default value (program name) intErrNum3 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"",strPgmName) 'enclose pgm name in quotes if name exists and default value isn't empty If intErrNum3 = 0 And strPgmName <> "" Then strPgmName = Chr(34) & strPgmName & Chr(34) Else strPgmName = "(no title provided)" End If TitleLineWrite 'output the CLSID & pgm name oFN.WriteLine strHKLMKey & "\(Default) = " & StringFilter(strPgmName,False) On Error Resume Next 'output the StubPath value oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_ Chr(34) & strSPV & Chr(34) & strCN 'error check for W2K if StubPath value not set If Err.Number <> 0 Then oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_ "(value not set)" Err.Clear On Error GoTo 0 End If 'flagAllow false? End If 'flagMatch false? End If 'StubPath value exists? Next 'HKLM Installed Components subkey End If 'HKLM Installed Components subkeys exist? If flagShowAll Then TitleLineWrite 'recover array memory ReDim arHKLMKeys(0) ReDim arHKCUKeys(0) strTitle = "" : strSubTitle = "" : strSubSubTitle = "" End If 'flagTest? 'III. Examine HKLM... Explorer\Browser Helper Objects If Not flagTest Then 'skip if testing strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" strSubTitle = "HKLM" & "\" & strKey & "\" 'find all the subkeys oReg.EnumKey HKLM, strKey, arSubKeys 'enumerate data if present If IsArray(arSubKeys) Then 'for each key For Each strSubKey In arSubKeys flagTitle = False CLSIDLocTitle HKLM, strKey & "\" & strSubKey, "", strLocTitle For ctrCH = intCLL To 1 ResolveCLSID strSubKey, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL If strIPSDLL <> "" Then 'output the title line if not already done TitleLineWrite If Not flagTitle Then 'error check for W2K if value not set On Error Resume Next oFN.WriteLine strSubKey & "\(Default) = " & strLocTitle intErrNum = Err.Number : Err.Clear If intErrNum <> 0 Then oFN.WriteLine strSubKey &_ "\(Default) = (no title provided)" flagTitle = True On Error GoTo 0 End If 'output CLSID title, InProcServer32 DLL & CoName oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_ strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_ StringFilter(strIPSDLL,True) & CoName(IDExe(strIPSDLL)) End If 'strIPSDLL exists? Next 'CLSID hive Next 'BHO subkey End If 'BHO subkeys exist? 'if ShowAll, output the key name if not already done If flagShowAll Then TitleLineWrite strTitle = "" : strSubTitle = "" : strSubSubTitle = "" 'recover array memory ReDim arSubKeys(0) End If 'flagTest? 'IV. Examine HKLM... Shell Extensions\Approved\ If Not flagTest Then 'skip if testing 'CLSID value, InProcessServer32 DLL name & output file version, 'CLSID Key Title display flag Dim strCLSID, strIPSDLL, strIPSDLLOut, strCLSIDTitle, strLocTitle 'Shell Extension Approved array Dim arSEA() ReDim arSEA(243,1) 'WXP arSEA(0,0) = "{00022613-0000-0000-C000-000000000046}" : arSEA(0,1) = "mmsys.cpl" arSEA(1,0) = "{176d6597-26d3-11d1-b350-080036a75b03}" : arSEA(1,1) = "icmui.dll" arSEA(2,0) = "{1F2E5C40-9550-11CE-99D2-00AA006E086C}" : arSEA(2,1) = "rshx32.dll" arSEA(3,0) = "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" : arSEA(3,1) = "docprop.dll" arSEA(4,0) = "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" : arSEA(4,1) = "ntshrui.dll" arSEA(5,0) = "{41E300E0-78B6-11ce-849B-444553540000}" : arSEA(5,1) = "themeui.dll" arSEA(6,0) = "{42071712-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(6,1) = "deskadp.dll" arSEA(7,0) = "{42071713-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(7,1) = "deskmon.dll" arSEA(8,0) = "{42071714-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(8,1) = "deskpan.dll" arSEA(9,0) = "{4E40F770-369C-11d0-8922-00A024AB2DBB}" : arSEA(9,1) = "dssec.dll" arSEA(10,0) = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" : arSEA(10,1) = "SlayerXP.dll" arSEA(11,0) = "{56117100-C0CD-101B-81E2-00AA004AE837}" : arSEA(11,1) = "shscrap.dll" arSEA(12,0) = "{59099400-57FF-11CE-BD94-0020AF85B590}" : arSEA(12,1) = "diskcopy.dll" arSEA(13,0) = "{59be4990-f85c-11ce-aff7-00aa003ca9f6}" : arSEA(13,1) = "ntlanui2.dll" arSEA(14,0) = "{5DB2625A-54DF-11D0-B6C4-0800091AA605}" : arSEA(14,1) = "icmui.dll" arSEA(15,0) = "{675F097E-4C4D-11D0-B6C1-0800091AA605}" : arSEA(15,1) = "icmui.dll" arSEA(16,0) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}" : arSEA(16,1) = "" arSEA(17,0) = "{77597368-7b15-11d0-a0c2-080036af3f03}" : arSEA(17,1) = "printui.dll" arSEA(18,0) = "{7988B573-EC89-11cf-9C00-00AA00A14F56}" : arSEA(18,1) = "dskquoui.dll" arSEA(19,0) = "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" : arSEA(19,1) = "" arSEA(20,0) = "{85BBD920-42A0-1069-A2E4-08002B30309D}" : arSEA(20,1) = "syncui.dll" arSEA(21,0) = "{88895560-9AA2-1069-930E-00AA0030EBC8}" : arSEA(21,1) = "hticons.dll" arSEA(22,0) = "{BD84B380-8CA2-1069-AB1D-08000948F534}" : arSEA(22,1) = "fontext.dll" arSEA(23,0) = "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" : arSEA(23,1) = "icmui.dll" arSEA(24,0) = "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" : arSEA(24,1) = "rshx32.dll" arSEA(25,0) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" : arSEA(25,1) = "ntshrui.dll" arSEA(26,0) = "{f92e8c40-3d33-11d2-b1aa-080036a75b03}" : arSEA(26,1) = "deskperf.dll" arSEA(27,0) = "{7444C717-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(27,1) = "cryptext.dll" arSEA(28,0) = "{7444C719-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(28,1) = "cryptext.dll" arSEA(29,0) = "{7007ACC7-3202-11D1-AAD2-00805FC1270E}" : arSEA(29,1) = "NETSHELL.dll" arSEA(30,0) = "{992CFFA0-F557-101A-88EC-00DD010CCC48}" : arSEA(30,1) = "NETSHELL.dll" arSEA(31,0) = "{E211B736-43FD-11D1-9EFB-0000F8757FCD}" : arSEA(31,1) = "wiashext.dll" arSEA(32,0) = "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" : arSEA(32,1) = "wiashext.dll" arSEA(33,0) = "{905667aa-acd6-11d2-8080-00805f6596d2}" : arSEA(33,1) = "wiashext.dll" arSEA(34,0) = "{3F953603-1008-4f6e-A73A-04AAC7A992F1}" : arSEA(34,1) = "wiashext.dll" arSEA(35,0) = "{83bbcbf3-b28a-4919-a5aa-73027445d672}" : arSEA(35,1) = "wiashext.dll" arSEA(36,0) = "{F0152790-D56E-4445-850E-4F3117DB740C}" : arSEA(36,1) = "remotepg.dll" arSEA(37,0) = "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" : arSEA(37,1) = "wuaucpl.cpl" arSEA(38,0) = "{60254CA5-953B-11CF-8C96-00AA00B8708C}" : arSEA(38,1) = "wshext.dll" arSEA(39,0) = "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" : arSEA(39,1) = "oledb32.dll" arSEA(40,0) = "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" : arSEA(40,1) = "mstask.dll" arSEA(41,0) = "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" : arSEA(41,1) = "mstask.dll" arSEA(42,0) = "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" : arSEA(42,1) = "mstask.dll" arSEA(43,0) = "{0DF44EAA-FF21-4412-828E-260A8728E7F1}" : arSEA(43,1) = "" arSEA(44,0) = "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(44,1) = "shdocvw.dll" arSEA(45,0) = "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(45,1) = "shdocvw.dll" arSEA(46,0) = "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(46,1) = "shdocvw.dll" arSEA(47,0) = "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(47,1) = "shdocvw.dll" arSEA(48,0) = "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(48,1) = "shdocvw.dll" arSEA(49,0) = "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(49,1) = "shdocvw.dll" arSEA(50,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524152}" : arSEA(50,1) = "shdocvw.dll" arSEA(51,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524153}" : arSEA(51,1) = "shdocvw.dll" arSEA(52,0) = "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" : arSEA(52,1) = "shmedia.dll" arSEA(53,0) = "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" : arSEA(53,1) = "shmedia.dll" arSEA(54,0) = "{E4B29F9D-D390-480b-92FD-7DDB47101D71}" : arSEA(54,1) = "shmedia.dll" arSEA(55,0) = "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" : arSEA(55,1) = "shmedia.dll" arSEA(56,0) = "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" : arSEA(56,1) = "shmedia.dll" arSEA(57,0) = "{c5a40261-cd64-4ccf-84cb-c394da41d590}" : arSEA(57,1) = "shmedia.dll" arSEA(58,0) = "{5E6AB780-7743-11CF-A12B-00AA004AE837}" : arSEA(58,1) = "browseui.dll" arSEA(59,0) = "{22BF0C20-6DA7-11D0-B373-00A0C9034938}" : arSEA(59,1) = "browseui.dll" arSEA(60,0) = "{91EA3F8B-C99B-11d0-9815-00C04FD91972}" : arSEA(60,1) = "browseui.dll" arSEA(61,0) = "{6413BA2C-B461-11d1-A18A-080036B11A03}" : arSEA(61,1) = "browseui.dll" arSEA(62,0) = "{F61FFEC1-754F-11d0-80CA-00AA005B4383}" : arSEA(62,1) = "browseui.dll" arSEA(63,0) = "{7BA4C742-9E81-11CF-99D3-00AA004AE837}" : arSEA(63,1) = "browseui.dll" arSEA(64,0) = "{30D02401-6A81-11d0-8274-00C04FD5AE38}" : arSEA(64,1) = "browseui.dll" arSEA(65,0) = "{32683183-48a0-441b-a342-7c2a440a9478}" : arSEA(65,1) = "browseui.dll" arSEA(66,0) = "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" : arSEA(66,1) = "browseui.dll" arSEA(67,0) = "{07798131-AF23-11d1-9111-00A0C98BA67D}" : arSEA(67,1) = "browseui.dll" arSEA(68,0) = "{AF4F6510-F982-11d0-8595-00AA004CD6D8}" : arSEA(68,1) = "browseui.dll" arSEA(69,0) = "{01E04581-4EEE-11d0-BFE9-00AA005B4383}" : arSEA(69,1) = "browseui.dll" arSEA(70,0) = "{A08C11D2-A228-11d0-825B-00AA005B4383}" : arSEA(70,1) = "browseui.dll" arSEA(71,0) = "{00BB2763-6A77-11D0-A535-00C04FD7D062}" : arSEA(71,1) = "browseui.dll" arSEA(72,0) = "{7376D660-C583-11d0-A3A5-00C04FD706EC}" : arSEA(72,1) = "browseui.dll" arSEA(73,0) = "{6756A641-DE71-11d0-831B-00AA005B4383}" : arSEA(73,1) = "browseui.dll" arSEA(74,0) = "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" : arSEA(74,1) = "browseui.dll" arSEA(75,0) = "{7e653215-fa25-46bd-a339-34a2790f3cb7}" : arSEA(75,1) = "browseui.dll" arSEA(76,0) = "{acf35015-526e-4230-9596-becbe19f0ac9}" : arSEA(76,1) = "browseui.dll" arSEA(77,0) = "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" : arSEA(77,1) = "browseui.dll" arSEA(78,0) = "{00BB2764-6A77-11D0-A535-00C04FD7D062}" : arSEA(78,1) = "browseui.dll" arSEA(79,0) = "{03C036F1-A186-11D0-824A-00AA005B4383}" : arSEA(79,1) = "browseui.dll" arSEA(80,0) = "{00BB2765-6A77-11D0-A535-00C04FD7D062}" : arSEA(80,1) = "browseui.dll" arSEA(81,0) = "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" : arSEA(81,1) = "browseui.dll" arSEA(82,0) = "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" : arSEA(82,1) = "browseui.dll" arSEA(83,0) = "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" : arSEA(83,1) = "browseui.dll" arSEA(84,0) = "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" : arSEA(84,1) = "browseui.dll" arSEA(85,0) = "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" : arSEA(85,1) = "browseui.dll" arSEA(86,0) = "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" : arSEA(86,1) = "browseui.dll" arSEA(87,0) = "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" : arSEA(87,1) = "shdocvw.dll" arSEA(88,0) = "{0A89A860-D7B1-11CE-8350-444553540000}" : arSEA(88,1) = "shdocvw.dll" arSEA(89,0) = "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" : arSEA(89,1) = "shdocvw.dll" arSEA(90,0) = "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" : arSEA(90,1) = "shdocvw.dll" arSEA(91,0) = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" : arSEA(91,1) = "shdocvw.dll" arSEA(92,0) = "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" : arSEA(92,1) = "shdocvw.dll" arSEA(93,0) = "{FF393560-C2A7-11CF-BFF4-444553540000}" : arSEA(93,1) = "shdocvw.dll" arSEA(94,0) = "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" : arSEA(94,1) = "shdocvw.dll" arSEA(95,0) = "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" : arSEA(95,1) = "shdocvw.dll" arSEA(96,0) = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" : arSEA(96,1) = "shdocvw.dll" arSEA(97,0) = "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" : arSEA(97,1) = "shdocvw.dll" arSEA(98,0) = "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" : arSEA(98,1) = "shdocvw.dll" arSEA(99,0) = "{131A6951-7F78-11D0-A979-00C04FD705A2}" : arSEA(99,1) = "shdocvw.dll" arSEA(100,0) = "{9461b922-3c5a-11d2-bf8b-00c04fb93661}" : arSEA(100,1) = "shdocvw.dll" arSEA(101,0) = "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" : arSEA(101,1) = "shdocvw.dll" arSEA(102,0) = "{871C5380-42A0-1069-A2EA-08002B30309D}" : arSEA(102,1) = "shdocvw.dll" arSEA(103,0) = "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" : arSEA(103,1) = "shdocvw.dll" arSEA(104,0) = "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(104,1) = "sendmail.dll" arSEA(105,0) = "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(105,1) = "sendmail.dll" arSEA(106,0) = "{88C6C381-2E85-11D0-94DE-444553540000}" : arSEA(106,1) = "occache.dll" arSEA(107,0) = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" : arSEA(107,1) = "webcheck.dll" arSEA(108,0) = "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" : arSEA(108,1) = "webcheck.dll" arSEA(109,0) = "{F5175861-2688-11d0-9C5E-00AA00A45957}" : arSEA(109,1) = "webcheck.dll" arSEA(110,0) = "{08165EA0-E946-11CF-9C87-00AA005127ED}" : arSEA(110,1) = "webcheck.dll" arSEA(111,0) = "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" : arSEA(111,1) = "webcheck.dll" arSEA(112,0) = "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" : arSEA(112,1) = "webcheck.dll" arSEA(113,0) = "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" : arSEA(113,1) = "webcheck.dll" arSEA(114,0) = "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" : arSEA(114,1) = "webcheck.dll" arSEA(115,0) = "{D8BD2030-6FC9-11D0-864F-00AA006809D9}" : arSEA(115,1) = "webcheck.dll" arSEA(116,0) = "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" : arSEA(116,1) = "webcheck.dll" arSEA(117,0) = "{352EC2B7-8B9A-11D1-B8AE-006008059382}" : arSEA(117,1) = "appwiz.cpl" arSEA(118,0) = "{0B124F8F-91F0-11D1-B8B5-006008059382}" : arSEA(118,1) = "appwiz.cpl" arSEA(119,0) = "{CFCCC7A0-A282-11D1-9082-006008059382}" : arSEA(119,1) = "appwiz.cpl" arSEA(120,0) = "{e84fda7c-1d6a-45f6-b725-cb260c236066}" : arSEA(120,1) = "shimgvw.dll" arSEA(121,0) = "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" : arSEA(121,1) = "shimgvw.dll" arSEA(122,0) = "{3F30C968-480A-4C6C-862D-EFC0897BB84B}" : arSEA(122,1) = "shimgvw.dll" arSEA(123,0) = "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" : arSEA(123,1) = "shimgvw.dll" arSEA(124,0) = "{EAB841A0-9550-11cf-8C16-00805F1408F3}" :

Regis59 · Answer

Re,Ah non c est pas ca lolClik icihttps://www.silentrunners.org/Dans cette phrase sur le site, clik sur "here"If you want to download the latest version of “Silent Runners.vbs”, click here for Revision 46. (It's about 291 KB.) a+

laurentired · Answer

c'est bien ce que j'avais fait, et encore là je retombe sur cette meme page. que faire?a tout'

laurentired · Answer

pardon, pardon, il suffisait que je lise les FAQ...dslle voici donc, cette fois:"Silent Runners.vbs", revision 46, https://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"LaunchApp" = "Alaunch" ["Acer Inc."]"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]"PCMService" = ""C:\Program Files\Aspire Arcade\PCMService.exe"" ["CyberLink Corp."]"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]"MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]"LManager" = "C:\Program Files\Launch Manager\QtZgAcer.EXE" ["Dritek System Inc."]"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)  -> {HKLM...CLSID} = "AcroIEHlprObj Class"                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)  -> {HKLM...CLSID} = (no title provided)                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"  -> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"                   \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"  -> {HKLM...CLSID} = (no title provided)                   \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"  -> {HKLM...CLSID} = "Microsoft Office Outlook"                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"  -> {HKLM...CLSID} = "Outlook File Icon Extension"                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"  -> {HKLM...CLSID} = (no title provided)                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"  -> {HKLM...CLSID} = "Shell Search Band"                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"  -> {HKLM...CLSID} = "avast"                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]HKLM\Software\Classes\PROTOCOLS\Filter\INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"  -> {HKLM...CLSID} = (no title provided)                   \InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]HKLM\Software\Classes\*\shellex\ContextMenuHandlers\avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"  -> {HKLM...CLSID} = "avast"                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"  -> {HKLM...CLSID} = "CContextScan Object"                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"  -> {HKLM...CLSID} = "CContextScan Object"                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"  -> {HKLM...CLSID} = "avast"                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]Active Desktop and Wallpaper:-----------------------------Active Desktop is disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateHKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\enzo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\ACER.SCR" [null data]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06Toolbars, Explorer Bars, Extensions:------------------------------------Extensions (Tools menu items, main toolbar menu buttons)HKLM\Software\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Recherche"{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Miscellaneous IE Hijack Points------------------------------C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")Added lines (compared with English-language version):[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"Missing lines (compared with English-language version):[Strings]: 1 lineRunning Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]Notebook Manager Service, anbmService, "C:\Acer\eManager\anbmServ.exe" ["OSA Technologies Inc."]TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZONELABS\vsmon.exe -service" ["Zone Labs, LLC"]Print Monitors:---------------HKLM\System\CurrentControlSet\Control\Print\Monitors\Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]----------+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds,  launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,  use the -supp parameter or answer "No" at the first message box.---------- (total run time: 29 seconds, including 12 seconds for message boxes)

Regis59 · Answer

Re,Fixe ceci dans hijack this:O4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe Lance ccleaner, Suppression des fichiers temporairesVa dans la section "Options" situé dans la marge gauche. Va dans "Avancé" et décoche "Effacer uniquement les fichiers, du dossier Temp de Windows, plus vieux que 48 heures". Retourne ensuite dans la section "Nettoyeur"Fais bien attention de cocher toutes les cases dans la marge gauche (Internet Explorer/Windows Explorer/Système/Avancé)•	Clique sur Analyse•	Patiente le temps du scan, qui peut prendre un peu de temps si c'est la première fois.•	Une fois le scan terminé, clique sur Lancer le Nettoyage Suppression des incohérence du registre•	Clique sur l'icône Erreurs situés dans la marge à gauche.•	Puis clique sur Analyser les erreurs•	Patiente pendant que CCleaner scan ton registre.•	Une fois le scan terminé, coche toutes les entrèes qu'il t'aura trouvée.•	Tu peux cliquer ensuite sur Corriger les erreurs.Redemarre et remet un Hijack Thisa+

laurentired · Answer

voili voilou,les manips ont été faites, mais la fameuse ligne revient à chaque fois.???A tout'

laurentired · Answer

pardon, j'oublie le log:Logfile of HijackThis v1.99.1Scan saved at 17:29:06, on 30/06/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Aspire Arcade\PCMService.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Launch Manager\QtZgAcer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\Documents and Settings\enzo\Bureau\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.sfr.fr/offres-numericable.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [LaunchApp] AlaunchO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXEO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\RunServices: [ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_] c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exeO23 - Service: wsfws(wsfws) (wsfws) - Unknown owner - C:\WINDOWS\system32\wsfws.exe (file missing)

Regis59 · Answer

Re;Lance Hijack this < open the misc tools section < Generate start uplist log < Repond oui a la question <Copie colle le rapport a+

laurentired · Answer

yop;voila qui est fait:StartupList report, 30/06/2006, 21:25:16StartupList version: 1.52.2Started from : C:\Documents and Settings\enzo\Bureau\HijackThis.EXEDetected: Windows XP SP2 (WinNT 5.01.2600)Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)* Using default options==================================================Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Aspire Arcade\PCMService.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Launch Manager\QtZgAcer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Fichiers communs\Real\Update_OB\realsched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Messenger\msmsgs.exeC:\Acer\eManager\anbmServ.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\enzo\Bureau\HijackThis.exe--------------------------------------------------Checking Windows NT UserInit:[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]UserInit = C:\WINDOWS\system32\userinit.exe,--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunLaunchApp = AlaunchSynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exeSynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exePCMService = "C:\Program Files\Aspire Arcade\PCMService.exe"IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCPHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCPHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeLManager = C:\Program Files\Launch Manager\QtZgAcer.EXEavast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeTkBellExe = "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osbootZone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesÿ_zskqixtzu[p_jbaxf]`40inkrwksz_ = c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunMSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background--------------------------------------------------Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:Shell=*INI section not found*SCRNSAVE.EXE=*INI section not found*drivers=*INI section not found*Shell & screensaver key from Registry:Shell=explorer.exeSCRNSAVE.EXE=C:\WINDOWS\ACER.SCRdrivers=*Registry value not found*Policies Shell key:HKCU\..\Policies: Shell=*Registry value not found*HKLM\..\Policies: Shell=*Registry value not found*--------------------------------------------------Enumerating Browser Helper Objects:(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}--------------------------------------------------Enumerating Download Program Files:[CKAVWebScan Object]InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dllCODEBASE = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[ewidoOnlineScan Control]InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLLCODEBASE = http://download.ewido.net/ewidoOnlineScan.cab--------------------------------------------------Enumerating ShellServiceObjectDelayLoad items:PostBootReminder: C:\WINDOWS\system32\SHELL32.dllCDBurn: C:\WINDOWS\system32\SHELL32.dllWebCheck: C:\WINDOWS\System32\webcheck.dllSysTray: C:\WINDOWS\System32\stobject.dll--------------------------------------------------End of report, 5 330 bytesReport generated in 0,040 secondsCommand line options:   /verbose  - to add additional info on each section   /complete - to include empty sections and unsuspicious data   /full     - to include several rarely-important sections   /force9x  - to include Win9x-only startups even if running on WinNT   /forcent  - to include WinNT-only startups even if running on Win9x   /forceall - to include all Win9x and WinNT startups, regardless of platform   /history  - to list version history only

Regis59 · Answer

SalutAffiche les fichiers caches, et regarde si tu as ceci:c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe A+

laurentired · Answer

SALUT,je n'ai rien qui y ressemble de près ou de loin...a +

Regis59 · Answer

Re,Télécharge ceci Registry Search Tool http://www.billsway.com/vbspage/ décompresse le et tape ou colle _zskwrkni04`]fxabj_p[uztxiq.exe et copie colle le résultat dans le bloc note et donne le nousA+

laurentired · Answer

rere,merci pour la réponse super rapide,voila ce que ca me dit:REGEDIT4; RegSrch.vbs © Bill James; Registry search results for string "_zskwrkni04`]fxabj_p[uztxiq.exe" 30/06/2006 22:13:28; NOTE: This file will be deleted when you close WordPad.; You must manually save this file to a new location if you want to refer to it again later.; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)"ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_"="c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe""ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_"="c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe""ÿ_zskqixtzu[p_jbaxf]`40inkrwksz_"="c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe"a tout'

Regis59 · Answer

Re,Téléchargement :http://www.killbox.net/downloads/KillBox.exeDouble clic sur killbox.exe (Pocket Killbox) - coche: delete on reboot - Dans "Full Path of File to Delete" -selectionne "single File"copie et colle: c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe- clique sur la croix rouge - une fenêtre va apparaître pour confirmation clique sur YES - une seconde fenêtre te demande si tu veux redémarrer clique sur YES Si ce message s’affiche ignore le :http://tinypic.com/images/goodbye.jpg Laisse le pc redémarrer.Et après relance le programme regsearsh et redonne le rapport.A+

laurentired · Answer

RE,J'ai utilisé killbox mais l'ordiateur ne rebootait pas automatiquement, je l'ai donc fait manuellement et le registry scan n'a plus trouvé de traces de c:\windows\system32\_zskwrkni04`]fxabj_p[uztxiq.exe. Mais il continue de figurer dans le log de Hijackthis...Encore merci pour tout, meme pour ce qui va venir...A+

Regis59 · Answer

Salut Laurent,Redemarre le pc, et donne moi- rapport de reg searsh- le hijack this normal- le hijack this plus longA+PS: Tu me diras merci a la fin ;-)

Spysheriff et d'autres.

60 réponses

Votre réponse

Newsletters