[virus] Il annule mes setup et ralenti mon pc
Fermé
Franckyll
Messages postés
10
Date d'inscription
samedi 10 juin 2006
Statut
Membre
Dernière intervention
11 août 2006
-
9 juil. 2006 à 14:16
don vincenzoo - 15 sept. 2007 à 15:21
don vincenzoo - 15 sept. 2007 à 15:21
A voir également:
- [virus] Il annule mes setup et ralenti mon pc
- Benchmark pc - Guide
- Pc ralenti - Guide
- Ecran noir pc - Guide
- Reinitialiser pc - Guide
- Télécharger musique gratuitement sur pc - Télécharger - Conversion & Extraction
37 réponses
Regis59
Messages postés
21123
Date d'inscription
mardi 27 juin 2006
Statut
Contributeur sécurité
Dernière intervention
22 juin 2016
1 346
17 juil. 2006 à 13:53
17 juil. 2006 à 13:53
Salut
En fait il redemarre pas?
Redemarre manuellement alors.
A+
En fait il redemarre pas?
Redemarre manuellement alors.
A+
t'es sur qu'en le rédemarrant Manuellement, pocket killbox va quand meme exécuter sa suppression ? Et faut il que je redémarre avec le message d'erreur afficher ou je clique sur ok , puis je ferme pocket killbox ?
Regis59
Messages postés
21123
Date d'inscription
mardi 27 juin 2006
Statut
Contributeur sécurité
Dernière intervention
22 juin 2016
1 346
17 juil. 2006 à 16:35
17 juil. 2006 à 16:35
Salut
Oui oui t inquietes pas lol
Tu clik sur ok, tu fermes kill box et toutes les applications et tu redemarres.
A+
Oui oui t inquietes pas lol
Tu clik sur ok, tu fermes kill box et toutes les applications et tu redemarres.
A+
"Silent Runners.vbs", revision 46, https://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"WinUpdate.exe" = "H:\Program Files\Windows\WinUpdate.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "H:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "H:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e OODBS" [file not found], [MS], [file not found], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\photos\logo\logo noir & vert plastik.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "H:\WINDOWS\System32\sstext3d.scr" [MS]
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
E:\
INFECTION WARNING! E:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Fr@nckyll" & "All Users" startup folders:
-----------------------------------------------------------
H:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{052B12F7-86FA-4921-8482-26C42316B522}"
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "H:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
H:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HOSTS file
----------
H:\WINDOWS\System32\drivers\etc\HOSTS
maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "H:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "H:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 156 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 25 seconds.
---------- (total run time: 278 seconds)
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"WinUpdate.exe" = "H:\Program Files\Windows\WinUpdate.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "H:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "H:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e OODBS" [file not found], [MS], [file not found], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\photos\logo\logo noir & vert plastik.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "H:\WINDOWS\System32\sstext3d.scr" [MS]
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
E:\
INFECTION WARNING! E:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Fr@nckyll" & "All Users" startup folders:
-----------------------------------------------------------
H:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{052B12F7-86FA-4921-8482-26C42316B522}"
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "H:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
H:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HOSTS file
----------
H:\WINDOWS\System32\drivers\etc\HOSTS
maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "H:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "H:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 156 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 25 seconds.
---------- (total run time: 278 seconds)
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
Regis59
Messages postés
21123
Date d'inscription
mardi 27 juin 2006
Statut
Contributeur sécurité
Dernière intervention
22 juin 2016
1 346
18 juil. 2006 à 09:26
18 juil. 2006 à 09:26
Salut
Ahh le bougre, il resiste lol mais on l aura :-)
Regarde s il apparait maintenant:
H:\Program Files\Windows\WinUpdate.exe
(il est dans le H)
Et aussi fais ceci stp:
demarer < poste de travail < c < windows < systeme32< drivers < etc < host, ouvre le avec le bloc note, copie/colle ici ce qu il contient.
A+
Ahh le bougre, il resiste lol mais on l aura :-)
Regarde s il apparait maintenant:
H:\Program Files\Windows\WinUpdate.exe
(il est dans le H)
Et aussi fais ceci stp:
demarer < poste de travail < c < windows < systeme32< drivers < etc < host, ouvre le avec le bloc note, copie/colle ici ce qu il contient.
A+
Le fichier H:\Program Files\Windows\WinUpdate.exe est toujours introuvable ( même en affichant les fichier cachés et systèmes)
Voici le rapport :
# Copyright (c) 1993-2004 Microsoft Corp.
#
# AutoGenerated by Microsoft (R) Windows (R) Malicious Software Removal Tool.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
0.0.0.0 www.zango.com
0.0.0.0 zango.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
Voici le rapport :
# Copyright (c) 1993-2004 Microsoft Corp.
#
# AutoGenerated by Microsoft (R) Windows (R) Malicious Software Removal Tool.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
0.0.0.0 www.zango.com
0.0.0.0 zango.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
Regis59
Messages postés
21123
Date d'inscription
mardi 27 juin 2006
Statut
Contributeur sécurité
Dernière intervention
22 juin 2016
1 346
18 juil. 2006 à 19:12
18 juil. 2006 à 19:12
Salut
Ce qui est la:
0.0.0.0 www.zango.com
0.0.0.0 zango.com
Se trouve dans le fichier host?
a+
Ce qui est la:
0.0.0.0 www.zango.com
0.0.0.0 zango.com
Se trouve dans le fichier host?
a+
Regis59
Messages postés
21123
Date d'inscription
mardi 27 juin 2006
Statut
Contributeur sécurité
Dernière intervention
22 juin 2016
1 346
18 juil. 2006 à 23:06
18 juil. 2006 à 23:06
Salut
Tu les supprimes, pour qu il ne reste plus que ceci:
Puis clik fichier < enregistrer.
Redemarre, verifie que c est toujours comme au dessu et regarde si tu vois le fichier maintenant
a+
Tu les supprimes, pour qu il ne reste plus que ceci:
# Copyright (c) 1993-2004 Microsoft Corp. # # AutoGenerated by Microsoft (R) Windows (R) Malicious Software Removal Tool. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
Puis clik fichier < enregistrer.
Redemarre, verifie que c est toujours comme au dessu et regarde si tu vois le fichier maintenant
a+
Le fichier Hosts a bien été modifié , mais le fichier WinUpdate.exe reste toujours introuvable ... :/
Je joint aussi un rapport bitdefender au cas où :
--------------------------------------------------------------------------
BitDefender Online Scanner
Rapport d'analyse généré à: Wed, Jul 19, 2006 - 04:48:03
Voie d'analyse: A:\;C:\;D:\;E:\;F:\;G:\;H:\;
Statistiques
Temps
01:54:30
Fichiers
319109
Directoires
5762
Secteurs de boot
5
Archives
10112
Paquets programmes
22767
Résultats
Virus identifiés
2
Fichiers infectés
43
Fichiers suspects
0
Avertissements
0
Désinfectés
39
Fichiers effacés
0
Info sur les moteurs
Définition virus
411865
Version des moteurs
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Analyse des plugins
13
Archive des plugins
39
Unpack des plugins
5
E-mail plugins
6
Système plugins
1
Paramètres d'analyse
Première action
Désinfecté
Seconde Action
Supprimé
Heuristique
Oui
Acceptez les avertissements
Oui
Extensions analysées
*;
Excludez les extensions
Analyse d'emails
Oui
Analyse des Archives
Oui
Analyser paquets programmes
Oui
Analyse des fichiers
Oui
Analyse de boot
Oui
Fichier analysé
Statut
C:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dc3\wwpClean.exe
Infecté par: Win32.Virtob.C
C:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dc3\wwpClean.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Process.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Process.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Reboot.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Reboot.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\restart.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\restart.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swreg.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swreg.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swsc.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swsc.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5B.tmp
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5B.tmp
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5C.tmp
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5C.tmp
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temporary Internet Files\Content.IE5\RK5VBL56\WoW-1.11.2.5464-to-0.12.0.5496-frFR-downloader[1].exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temporary Internet Files\Content.IE5\RK5VBL56\WoW-1.11.2.5464-to-0.12.0.5496-frFR-downloader[1].exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk=>H:\Program Files\IntelliTamper\intellitamper.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk=>H:\Program Files\IntelliTamper\intellitamper.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk
Mis à jour
H:\Program Files\ewido anti-malware\ewidoguard.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-malware\ewidoguard.exe
Désinfecté
H:\Program Files\ewido anti-malware\SecuritySuite.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-malware\SecuritySuite.exe
Désinfecté
H:\Program Files\ewido anti-spyware 4.0\ewido.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-spyware 4.0\ewido.exe
Désinfecté
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Echec de la désinfection
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Echec de la suppression
H:\Program Files\MSN Messenger\msnmsgr.exe
Infecté par: Win32.Virtob.C
H:\Program Files\MSN Messenger\msnmsgr.exe
Echec de la désinfection
H:\Program Files\MSN Messenger\msnmsgr.exe
Echec de la suppression
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh53\WoW.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh53\WoW.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh56.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh56.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh57.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh57.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh62.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh62.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh66.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh66.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046500.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046500.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046573.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046573.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046574.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046574.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046575.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046575.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046576.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046576.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046578.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046578.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046579.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046579.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046592.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046592.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046607.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046607.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046608.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046608.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046728.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046728.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046730.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046730.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046731.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046731.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046732.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046732.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046733.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046733.exe
Désinfecté
H:\WINDOWS\system32\ati2evxx.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\ati2evxx.exe
Echec de la désinfection
H:\WINDOWS\system32\ati2evxx.exe
Echec de la suppression
H:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
Désinfecté
H:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Désinfecté
H:\WINDOWS\system32\Process.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Process.exe
Désinfecté
H:\WINDOWS\system32\spoolsv.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\spoolsv.exe
Echec de la désinfection
H:\WINDOWS\system32\spoolsv.exe
Echec de la suppression
H:\WINDOWS\system32\swreg.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\swreg.exe
Désinfecté
H:\WINDOWS\system32\swsc.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\swsc.exe
Désinfecté
--------------------------------------------------------------------------
BitDefender Online Scanner
Rapport d'analyse généré à: Wed, Jul 19, 2006 - 04:48:03
Voie d'analyse: A:\;C:\;D:\;E:\;F:\;G:\;H:\;
Statistiques
Temps
01:54:30
Fichiers
319109
Directoires
5762
Secteurs de boot
5
Archives
10112
Paquets programmes
22767
Résultats
Virus identifiés
2
Fichiers infectés
43
Fichiers suspects
0
Avertissements
0
Désinfectés
39
Fichiers effacés
0
Info sur les moteurs
Définition virus
411865
Version des moteurs
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Analyse des plugins
13
Archive des plugins
39
Unpack des plugins
5
E-mail plugins
6
Système plugins
1
Paramètres d'analyse
Première action
Désinfecté
Seconde Action
Supprimé
Heuristique
Oui
Acceptez les avertissements
Oui
Extensions analysées
*;
Excludez les extensions
Analyse d'emails
Oui
Analyse des Archives
Oui
Analyser paquets programmes
Oui
Analyse des fichiers
Oui
Analyse de boot
Oui
Fichier analysé
Statut
C:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dc3\wwpClean.exe
Infecté par: Win32.Virtob.C
C:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dc3\wwpClean.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Process.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Process.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Reboot.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Reboot.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\restart.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\restart.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swreg.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swreg.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swsc.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swsc.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5B.tmp
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5B.tmp
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5C.tmp
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5C.tmp
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temporary Internet Files\Content.IE5\RK5VBL56\WoW-1.11.2.5464-to-0.12.0.5496-frFR-downloader[1].exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temporary Internet Files\Content.IE5\RK5VBL56\WoW-1.11.2.5464-to-0.12.0.5496-frFR-downloader[1].exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk=>H:\Program Files\IntelliTamper\intellitamper.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk=>H:\Program Files\IntelliTamper\intellitamper.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk
Mis à jour
H:\Program Files\ewido anti-malware\ewidoguard.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-malware\ewidoguard.exe
Désinfecté
H:\Program Files\ewido anti-malware\SecuritySuite.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-malware\SecuritySuite.exe
Désinfecté
H:\Program Files\ewido anti-spyware 4.0\ewido.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-spyware 4.0\ewido.exe
Désinfecté
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Echec de la désinfection
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Echec de la suppression
H:\Program Files\MSN Messenger\msnmsgr.exe
Infecté par: Win32.Virtob.C
H:\Program Files\MSN Messenger\msnmsgr.exe
Echec de la désinfection
H:\Program Files\MSN Messenger\msnmsgr.exe
Echec de la suppression
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh53\WoW.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh53\WoW.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh56.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh56.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh57.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh57.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh62.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh62.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh66.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh66.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046500.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046500.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046573.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046573.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046574.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046574.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046575.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046575.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046576.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046576.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046578.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046578.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046579.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046579.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046592.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046592.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046607.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046607.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046608.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046608.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046728.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046728.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046730.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046730.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046731.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046731.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046732.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046732.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046733.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046733.exe
Désinfecté
H:\WINDOWS\system32\ati2evxx.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\ati2evxx.exe
Echec de la désinfection
H:\WINDOWS\system32\ati2evxx.exe
Echec de la suppression
H:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
Désinfecté
H:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Désinfecté
H:\WINDOWS\system32\Process.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Process.exe
Désinfecté
H:\WINDOWS\system32\spoolsv.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\spoolsv.exe
Echec de la désinfection
H:\WINDOWS\system32\spoolsv.exe
Echec de la suppression
H:\WINDOWS\system32\swreg.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\swreg.exe
Désinfecté
H:\WINDOWS\system32\swsc.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\swsc.exe
Désinfecté
Regis59
Messages postés
21123
Date d'inscription
mardi 27 juin 2006
Statut
Contributeur sécurité
Dernière intervention
22 juin 2016
1 346
19 juil. 2006 à 16:24
19 juil. 2006 à 16:24
Il infecte tous les executables ce c** !
Lance un scan avec bitdefender.
Puis;
Double clic sur killbox.exe (Pocket Killbox)
- coche: delete on reboot
- Dans "Full Path of File to Delete"
- -Sélectionne "single File"
copie et colle:
H:\Program Files\Windows\WinUpdate.exe
- clique sur la croix rouge
- une fenêtre va apparaître pour confirmation clique sur YES
- une seconde fenêtre te demande si tu veux redémarrer clique sur YES
Si ce message s’affiche ignore le :
http://tinypic.com/images/goodbye.jpg
Laisse le pc redémarrer.
Au redemarrage lance ewido et donne le rapport!
Puis remet un silent runner
Lance un scan avec bitdefender.
Puis;
Double clic sur killbox.exe (Pocket Killbox)
- coche: delete on reboot
- Dans "Full Path of File to Delete"
- -Sélectionne "single File"
copie et colle:
H:\Program Files\Windows\WinUpdate.exe
- clique sur la croix rouge
- une fenêtre va apparaître pour confirmation clique sur YES
- une seconde fenêtre te demande si tu veux redémarrer clique sur YES
Si ce message s’affiche ignore le :
http://tinypic.com/images/goodbye.jpg
Laisse le pc redémarrer.
Au redemarrage lance ewido et donne le rapport!
Puis remet un silent runner
Salut,
J'ai un problème, quand je lance silent runner et que je lui demande de scanner, j'ai ce message d 'erreur : Http://dj.franckyll.free.fr/erreur silent runner.jpg
Qu'est ce que c'est ? Que faut uk que je fasse ?
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 23:57:10 21/07/2006
+ Scan result:
Nothing found.
::Report end
----------------------------------------------------------------------------
J'ai un problème, quand je lance silent runner et que je lui demande de scanner, j'ai ce message d 'erreur : Http://dj.franckyll.free.fr/erreur silent runner.jpg
Qu'est ce que c'est ? Que faut uk que je fasse ?
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 23:57:10 21/07/2006
+ Scan result:
Nothing found.
::Report end
----------------------------------------------------------------------------
Regis59
Messages postés
21123
Date d'inscription
mardi 27 juin 2006
Statut
Contributeur sécurité
Dernière intervention
22 juin 2016
1 346
22 juil. 2006 à 00:17
22 juil. 2006 à 00:17
Re,
tu peux essayer de le retelecharger?
tu peux essayer de le retelecharger?
"Silent Runners.vbs", revision 46, https://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"WinUpdate.exe" = "H:\Program Files\Windows\WinUpdate.exe" [file not found]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Win32 Security Protocol" = "secure32.exe" [file not found]
"LogitechSoftwareUpdate" = ""H:\Program Files\Logitech\ManifestEngine.exe" boot" ["Logitech Inc."]
"BitTorrent" = ""H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"LVCOMSX" = "H:\WINDOWS\System32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "H:\Program Files\Logitech\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "H:\Program Files\Logitech\LogiTray.exe" ["Logitech Inc."]
"Win32 Security Protocol" = "secure32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "H:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "H:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "H:\Program Files\Logitech\Namespc2.dll" ["Logitech Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e OODBS" [file not found], [MS], [file not found], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\photos\logo\logo noir & vert plastik.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "H:\WINDOWS\System32\sstext3d.scr" [MS]
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
E:\
INFECTION WARNING! E:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Fr@nckyll" & "All Users" startup folders:
-----------------------------------------------------------
H:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{052B12F7-86FA-4921-8482-26C42316B522}"
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "H:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
H:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"
Missing lines (compared with English-language version):
[Strings]: 2 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "H:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "H:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 206 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 44 seconds.
---------- (total run time: 407 seconds)
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"WinUpdate.exe" = "H:\Program Files\Windows\WinUpdate.exe" [file not found]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Win32 Security Protocol" = "secure32.exe" [file not found]
"LogitechSoftwareUpdate" = ""H:\Program Files\Logitech\ManifestEngine.exe" boot" ["Logitech Inc."]
"BitTorrent" = ""H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"LVCOMSX" = "H:\WINDOWS\System32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "H:\Program Files\Logitech\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "H:\Program Files\Logitech\LogiTray.exe" ["Logitech Inc."]
"Win32 Security Protocol" = "secure32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "H:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "H:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "H:\Program Files\Logitech\Namespc2.dll" ["Logitech Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e OODBS" [file not found], [MS], [file not found], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\photos\logo\logo noir & vert plastik.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "H:\WINDOWS\System32\sstext3d.scr" [MS]
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
E:\
INFECTION WARNING! E:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Fr@nckyll" & "All Users" startup folders:
-----------------------------------------------------------
H:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{052B12F7-86FA-4921-8482-26C42316B522}"
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "H:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
H:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"
Missing lines (compared with English-language version):
[Strings]: 2 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "H:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "H:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 206 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 44 seconds.
---------- (total run time: 407 seconds)
Regis59
Messages postés
21123
Date d'inscription
mardi 27 juin 2006
Statut
Contributeur sécurité
Dernière intervention
22 juin 2016
1 346
23 juil. 2006 à 11:29
23 juil. 2006 à 11:29
Salute,
Ou en sont tes soucis actuels?
a+
Ou en sont tes soucis actuels?
a+
salut j'ai le meme probleme !!!
j'ai trouvé un removal pour ce virus sur le site de grisoft !
le nom du virus c'est win32/virut !!!!
il infecte tout les .exe par injection de code dans les fichiers exe !
il n'utilise pas de rootkit pour se cacher mais l'injection!
pour l'instant aucun antivirus n'est capable de proteger et reparer ce virus(a ma connaissance!)
une grosse ***** qui infecte tout les .exe de tout tes disques !
ca craint vraiment !
il faut desactiver tout les options recuperations du systeme !
puis utiliser le removal en mode sans echec en l'ayant telecharger a partir d'un pc non infecté !
voici le lien :
http://www.grisoft.com/doc/34/us/crp/0/ndi/67762
moi mon probleme c'est que j'arrive pas a redemarrer en mode sans echec car il reboot des que je tente le mode sans echec !
donc logiquement j'ai formaté 250 gigas de donnés et je me suis dis ok ca va allé bien maintenant !
et bien non !!!!
il est toujours la ce -****** de virus de *******!!!!!!
donc moi ma solution va etre radicale : je sauvegarde tout mes fichiers importants (tout sauf des .exe car le virus n'infecte que ceux la)
et pour info j'avais avg antispyware a jour installé et avg antivirus 7.5 a jour installé lors de ma contamination !
le virus a contaminé l'antivirus qui detecté des fichiers infecté dans le \sys32 et qui les a donc supprimés ou mis en quarantaine puis au redemarrage plus acces a windows !!!
suite a un bidouillage je recupere la possibilité d'avoir acces a windows et meme en essayant avec avast je recevais un message comme quoi le prograùme est modifié illegalement et qu'il est risqué de continuer a utiliser le programme !
meilleur solution actuelle : sauvegardé tout vos fichiers importants (aucun .exe!!!!) et formater a fond tout vos disques durs !!
rrrrrrrrrrrrrrrrrrrrrrr
ca enerve !
j'ai trouvé un removal pour ce virus sur le site de grisoft !
le nom du virus c'est win32/virut !!!!
il infecte tout les .exe par injection de code dans les fichiers exe !
il n'utilise pas de rootkit pour se cacher mais l'injection!
pour l'instant aucun antivirus n'est capable de proteger et reparer ce virus(a ma connaissance!)
une grosse ***** qui infecte tout les .exe de tout tes disques !
ca craint vraiment !
il faut desactiver tout les options recuperations du systeme !
puis utiliser le removal en mode sans echec en l'ayant telecharger a partir d'un pc non infecté !
voici le lien :
http://www.grisoft.com/doc/34/us/crp/0/ndi/67762
moi mon probleme c'est que j'arrive pas a redemarrer en mode sans echec car il reboot des que je tente le mode sans echec !
donc logiquement j'ai formaté 250 gigas de donnés et je me suis dis ok ca va allé bien maintenant !
et bien non !!!!
il est toujours la ce -****** de virus de *******!!!!!!
donc moi ma solution va etre radicale : je sauvegarde tout mes fichiers importants (tout sauf des .exe car le virus n'infecte que ceux la)
et pour info j'avais avg antispyware a jour installé et avg antivirus 7.5 a jour installé lors de ma contamination !
le virus a contaminé l'antivirus qui detecté des fichiers infecté dans le \sys32 et qui les a donc supprimés ou mis en quarantaine puis au redemarrage plus acces a windows !!!
suite a un bidouillage je recupere la possibilité d'avoir acces a windows et meme en essayant avec avast je recevais un message comme quoi le prograùme est modifié illegalement et qu'il est risqué de continuer a utiliser le programme !
meilleur solution actuelle : sauvegardé tout vos fichiers importants (aucun .exe!!!!) et formater a fond tout vos disques durs !!
rrrrrrrrrrrrrrrrrrrrrrr
ca enerve !