[trojan-1165] s'incruste
pipoza
Messages postés
16
Statut
Membre
-
Séb08 Messages postés 18169 Date d'inscription Statut Contributeur Dernière intervention -
Séb08 Messages postés 18169 Date d'inscription Statut Contributeur Dernière intervention -
Bonjour,
avast 4.7 dédecte à chaque mise en route le troyen-1165.
Localisé dans dossier temp: nom de virus aléatoire qui change à chaque fois.
Suppression, quarantaine: rien n'y fait.
J'ai passé(plusieurs fois):
Avast (scan au démarrage)
Ad aware SE à jour
Spybot SD 1.4
Ccleaner 1.32
Cleanup40
SmitFraudFix (mode ss échec, restauration désactivée)
Rien n'y fait
Le troyen est toujours là à chaque nouveau démarrage!
Logfile of HijackThis v1.99.1
Scan saved at 11:33:43, on 04/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hijackthis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration977.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09CC593B-E8A9-4491-927D-A3E33534DDD4} (InstallerObj Class) - http://m6video.m6.fr/1click/install/files/installer2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Y t'il une solution?
Merci d'avance à toutes et à tous.
avast 4.7 dédecte à chaque mise en route le troyen-1165.
Localisé dans dossier temp: nom de virus aléatoire qui change à chaque fois.
Suppression, quarantaine: rien n'y fait.
J'ai passé(plusieurs fois):
Avast (scan au démarrage)
Ad aware SE à jour
Spybot SD 1.4
Ccleaner 1.32
Cleanup40
SmitFraudFix (mode ss échec, restauration désactivée)
Rien n'y fait
Le troyen est toujours là à chaque nouveau démarrage!
Logfile of HijackThis v1.99.1
Scan saved at 11:33:43, on 04/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hijackthis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration977.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09CC593B-E8A9-4491-927D-A3E33534DDD4} (InstallerObj Class) - http://m6video.m6.fr/1click/install/files/installer2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Y t'il une solution?
Merci d'avance à toutes et à tous.
A voir également:
- [trojan-1165] s'incruste
- Trojan remover - Télécharger - Antivirus & Antimalwares
- Anti trojan - Télécharger - Antivirus & Antimalwares
- Virus trojan al11 ✓ - Forum Virus
- Csrss.exe trojan fr ✓ - Forum Virus
- Trojan win32 - Forum Virus
3 réponses
Salut
fait ceci:
Fais ce nettoyage: (à faire réguliérement)
¤Telecharges et installes ceci:
CCleaner:
Ccleaner
dans la colonne de gauche clic sur "erreurs" coches toutes les cases, puis cliques en bas sur "chercher des erreurs" une fois finit, cliques sur "reparer les erreurs" et tu aura un message pour sauvegarder ta base de registre tu dis "oui" puis tu recommences jusqu'a ce qu'il te trouve plus d'erreurs.
Les sauvegardes que tu aura faites tu pourra les supprimer si ton ordinateur n'a plus de problémes
¤Relance Ccleaner, vas dans l'onglet "nettoyeur" present sur la gauche, decoches la derniere case (Avancé si elle est cochée) puis clic sur "lancer le nettoyage"
Telecharge, installe puis mets à jour ce logiciel(Ewido), une fois que c'est fait, fais un scan complet de ton système et colle le rapport ici
Ewido: (reste gratuit après la période d'essai)
Télécharger Ewido Security Suite
Puis
Fait ce scan anti-virus en ligne avec Internet Explorer, accepte l'active X; la barre anti-popup du SP (en haut) va se mettre à clignoter, clic dessus et choisis "accepter l'active X" pour faire fonctionner le scan anti-virus.
Une fois qu'il a terminé colle le rapport ici stp
https://www.bitdefender.com/toolbox/
fait ceci:
Fais ce nettoyage: (à faire réguliérement)
¤Telecharges et installes ceci:
CCleaner:
Ccleaner
dans la colonne de gauche clic sur "erreurs" coches toutes les cases, puis cliques en bas sur "chercher des erreurs" une fois finit, cliques sur "reparer les erreurs" et tu aura un message pour sauvegarder ta base de registre tu dis "oui" puis tu recommences jusqu'a ce qu'il te trouve plus d'erreurs.
Les sauvegardes que tu aura faites tu pourra les supprimer si ton ordinateur n'a plus de problémes
¤Relance Ccleaner, vas dans l'onglet "nettoyeur" present sur la gauche, decoches la derniere case (Avancé si elle est cochée) puis clic sur "lancer le nettoyage"
Telecharge, installe puis mets à jour ce logiciel(Ewido), une fois que c'est fait, fais un scan complet de ton système et colle le rapport ici
Ewido: (reste gratuit après la période d'essai)
Télécharger Ewido Security Suite
Puis
Fait ce scan anti-virus en ligne avec Internet Explorer, accepte l'active X; la barre anti-popup du SP (en haut) va se mettre à clignoter, clic dessus et choisis "accepter l'active X" pour faire fonctionner le scan anti-virus.
Une fois qu'il a terminé colle le rapport ici stp
https://www.bitdefender.com/toolbox/
Bonsoir,
Suite des aventures:
bonne nouvelle il semblerait que j'ai enfin réussi à me débarrasser de ce maudit trojan-1165.
j'ai uitlisé 2 softs dont on parle assez peu
- Ewido
- Trojan Remover
en version d'essai penda
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:03:51 04/09/2006
+ Scan result:
C:\Documents and Settings\Monique\Mes documents\Telechargement\programmes\FixMTU.exe -> Downloader.VB.afg : No action taken.
:mozilla.7:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.
:mozilla.8:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.
:mozilla.9:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.
***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
06/09/2006 01:02:03: Trojan Remover has been restarted
Trojan Remover forced a System Restart by terminating WINLOGON.EXE.
The Cleanup Utility was used to remove locked registry keys.
C:\WINDOWS\system32\jkkli.dll has been renamed to C:\WINDOWS\system32\jkkli.dl$
C:\WINDOWS\system32\jkkli.dll has been renamed to C:\WINDOWS\system32\jkkli.dl$
06/09/2006 01:02:03: Trojan Remover closed
************************************************************
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.5.2. For information, email simplysupsupport@aol.com
[Unregistered version]
Scan started at: 06/09/2006 00:56:11
Using Database v6610
Operating System: Windows XP Home Edition Service Pack 2 (Build 2600)
Using data directory: C:\Documents and Settings\All Users\Application Data\Trojan Remover\
--------------------------------------------------
00:56:11: ----------RUNNING PROCESSES-----------
C:\WINDOWS\System32\smss.exe
FileSize: 49 Kb
Company Name: Microsoft Corporation
File Description: Gestionnaire de session Windows NT
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: smss.exe
Copyright: © Microsoft Corporation. Tous droits réservés.
Original Filename: smss.exe
Product Name: Système d'exploitation Microsoft® Windows®
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\csrss.exe
FileSize: 6 Kb
Company Name: Microsoft Corporation
File Description: Client Server Runtime Process
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:09:52
Internal Name: CSRSS.Exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: CSRSS.Exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\winlogon.exe
FileSize: 494 Kb
Company Name: Microsoft Corporation
File Description: Application d'ouverture de session Windows NT
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:06
Internal Name: winlogon
Copyright: © Microsoft Corporation. Tous droits réservés.
Original Filename: WINLOGON.EXE
Product Name: Système d'exploitation Microsoft® Windows®
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\services.exe
FileSize: 106 Kb
Company Name: Microsoft Corporation
File Description: Applications Services et Contrôleur
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: services.exe
Copyright: © Microsoft Corporation. Tous droits réservés.
Original Filename: services.exe
Product Name: Système d'exploitation Microsoft® Windows®
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\lsass.exe
FileSize: 13 Kb
Company Name: Microsoft Corporation
File Description: LSA Shell (Export Version)
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:09:56
Internal Name: lsass.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: lsass.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\Program Files\Windows Defender\MsMpEng.exe
FileSize: 13 Kb
Company Name: Microsoft Corporation
File Description: Service Executable
File Version: 1.1.1347.0
Date Created: 03/04/2006 18:12:14
Last Modified: 03/04/2006 18:12:14
Internal Name: MsMpEng.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: MsMpEng.exe
Product Name: Windows Defender
Product Version: 1.1.1347.0
--------------------
C:\WINDOWS\System32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\System32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\System32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\spoolsv.exe
FileSize: 56 Kb
Company Name: Microsoft Corporation
File Description: Spooler SubSystem App
File Version: 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
Date Created: 30/08/2002 14:00:00
Last Modified: 11/06/2005 01:53:32
Internal Name: spoolsv.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: spoolsv.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2696
--------------------
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
FileSize: 57 Kb
Date Created: 19/02/2006 12:39:44
Last Modified: 05/08/2006 17:10:10
--------------------
C:\Program Files\Alwil Software\Avast4\ashServ.exe
FileSize: 105 Kb
File Description: avast! antivirus service
File Version: 4, 7, 844, 0
Date Created: 19/02/2006 12:39:44
Last Modified: 05/08/2006 08:23:06
Internal Name: aswServ
Copyright: Copyright (c) 2006 ALWIL Software
Original Filename: aswServ.exe
Product Name: avast! Antivirus
Product Version: 4, 7, 0, 0
--------------------
C:\WINDOWS\Explorer.EXE
FileSize: 1012 Kb
Company Name: Microsoft Corporation
File Description: Explorateur Windows
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:09:54
Internal Name: explorer
Copyright: © Microsoft Corporation. Tous droits réservés.
Original Filename: EXPLORER.EXE
Product Name: Système d'exploitation Microsoft® Windows®
Product Version: 6.00.2900.2180
--------------------
C:\WINDOWS\system32\crypserv.exe
FileSize: 51 Kb
Company Name: Kenonic Controls Ltd.
File Description: CrypKey NT Service
File Version: 5.4.0
Date Created: 18/06/2006 17:01:46
Last Modified: 29/06/2000 10:45:10
Internal Name: crypserv
Copyright: Copyright © 2000
Trademark: CrypKey
Original Filename: crypserv.exe
Product Name: CrypKey Software Licensing System
Product Version: 5.4
Special Build: Fixes short\long path problem
Comments: Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths
--------------------
C:\Program Files\ewido anti-spyware 4.0\guard.exe
FileSize: 168 Kb
Company Name: Anti-Malware Development a.s.
File Description: ewido anti-spyware guard
File Version: 4, 0, 0, 172
Date Created: 16/06/2006 16:38:44
Last Modified: 16/06/2006 16:38:44
Internal Name: ewido anti-spywareguard
Copyright: Copyright © 2005 Anti-Malware Development a.s.
Original Filename: guard.exe
Product Name: ewido anti-spyware
Product Version: 4, 0, 0, 172
Special Build: Ewido_2006_0616_163629(172), SVNRev 43094 (/trunk)
--------------------
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
FileSize: 196 Kb
Company Name: Symantec Corporation
File Description: Norton Ghost Start
File Version: 2003.793
Date Created: 17/12/2003 16:51:44
Last Modified: 17/12/2003 16:51:44
Internal Name: GhostStartService
Copyright: Copyright (C) 1998-2003 Symantec Corp. All rights reserved.
Original Filename: GhostStartService.exe
Product Name: Norton Ghost Start Service
Product Version: 2003.793
--------------------
C:\WINDOWS\system32\slserv.exe
FileSize: 44 Kb
Company Name:
File Description: User-Level Modem Service
File Version: 2.80.00(24Apr2000)
Date Created: 06/08/2003 04:17:17
Last Modified: 17/01/2003 03:02:38
Internal Name: slserv
Copyright: Copyright © 1999-2000
Trademark:
Original Filename: slserv.exe
Private Build:
Product Name: Modem
Product Version: 2.80.00
Special Build:
Comments:
--------------------
C:\WINDOWS\System32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\wdfmgr.exe
FileSize: 38 Kb
Company Name: Microsoft Corporation
File Description: Windows User Mode Driver Manager
File Version: 5.2.3790.1230 built by: DNSRV(bld4act)
Date Created: 10/08/2004 23:05:14
Last Modified: 10/08/2004 23:05:14
Internal Name: WdfMgr
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: WdfMgr.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.2.3790.1230
--------------------
C:\WINDOWS\System32\alg.exe
FileSize: 43 Kb
Company Name: Microsoft Corporation
File Description: Application Layer Gateway Service
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:09:52
Internal Name: ALG.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: ALG.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\System32\hkcmd.exe
FileSize: 112 Kb
Company Name: Intel Corporation
File Description: hkcmd Module
File Version: 3,0,0,2104
Date Created: 06/08/2003 04:17:41
Last Modified: 07/04/2003 00:07:38
Internal Name: HKCMD
Copyright: Copyright 1999-2003, Intel Corporation
Original Filename: HKCMD.EXE
Product Name: Intel(R) Common User Interface
Product Version: 7,0,0,2104
--------------------
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
FileSize: 37 Kb
Company Name: Logitech Inc.
File Description: Logitech Events Handler Application
File Version: 9.76.046
Date Created: 18/11/2004 00:29:31
Last Modified: 19/03/2003 10:50:00
Internal Name: Em_Exec
Copyright: (C) 1987-2003 Logitech. All rights reserved.
Trademark: Logitech® and MouseWare® are registered trademarks of Logitech Inc.
Original Filename: Em_Exec.exe
Product Name: MouseWare
Product Version: 9.76.046
Comments: Created by the MouseWare team
--------------------
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
FileSize: 105 Kb
File Description: avast! service GUI component
File Version: 5, 0, 0, 0
Date Created: 19/02/2006 12:39:44
Last Modified: 05/08/2006 08:23:12
Internal Name: aswDisp
Copyright: Copyright (c) 2006 ALWIL Software
Original Filename: aswDisp.exe
Product Name: avast! Antivirus
Product Version: 5, 0, 0, 0
--------------------
C:\Program Files\Windows Defender\MSASCui.exe
FileSize: 759 Kb
Company Name: Microsoft Corporation
File Description: Windows Defender User Interface
File Version: 1.1.1347.0
Date Created: 03/04/2006 18:12:24
Last Modified: 03/04/2006 18:12:24
Internal Name: MSASCUI
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: MSASCUI.exe
Product Name: Windows Defender
Product Version: 1.1.1347.0
--------------------
C:\Program Files\Messenger\msmsgs.exe
FileSize: 1.62 Mb
Company Name: Microsoft Corporation
File Description: Windows Messenger
File Version: 4.7.3001
Date Created: 14/04/2003 21:05:50
Last Modified: 13/10/2004 18:24:38
Internal Name: msmsgs
Copyright: Copyright (c) Microsoft Corporation 2004
Trademark: Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
Original Filename: msmsgs.exe
Product Name: Messenger
Product Version: Version 4.7.3001
--------------------
C:\Documents and Settings\All Users\Application Data\Trojan Remover\cpc2D5.exe
FileSize: 1.58 Mb
[This is a Trojan Remover component]
--------------------
C:\Documents and Settings\All Users\Application Data\Trojan Remover\cpc2D5.exe
FileSize: 1.58 Mb
[This is a Trojan Remover component]
--------------------
C:\WINDOWS\system32\wscntfy.exe
FileSize: 13 Kb
Company Name: Microsoft Corporation
File Description: Windows Security Center Notification App
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 25/05/2005 15:13:03
Last Modified: 19/08/2004 16:10:06
Internal Name: wscntfy.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: wscntfy.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
Checking Registry exefile command for modifications
Checking Registry comfile command for modifications
Checking Registry piffile command for modifications
Checking Registry batfile command for modifications
Checking Registry regfile command for modifications
Checking Registry cmdfile command for modifications
Checking Registry scrfile command for modifications
------------------------------
00:56:16: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS
------------------------------
00:56:16: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS
------------------------------
00:56:16: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.
------------------------------
00:56:16: Scanning -----WINDOWS REGISTRY-----
Checking HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd
--------------------
Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Explorer.exe - this entry has been left in place
--------------------
This key's "Userinit" value calls the following program(s):
C:\WINDOWS\system32\userinit.exe - this entry has been left in place
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name = load
The Data Value for this entry appears to be blank
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = HotKeysCmds
Value Data = C:\WINDOWS\System32\hkcmd.exe - this command has been left in place
--------------------
Value Name = Logitech Utility
Value Data = Logi_MwX.Exe - this command has been left in place
--------------------
Value Name = avast!
Value Data = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - this command has been left in place
--------------------
Value Name = Windows Defender
Value Data = C:\Program Files\Windows Defender\MSASCui.exe" -hide - this command has been left in place
--------------------
Value Name = QuickTime Task
Value Data = C:\Program Files\QuickTime\qttask.exe" -atboottime - this command has been left in place
--------------------
Value Name = TrojanScanner
Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = MSMSGS
Value Data = C:\Program Files\Messenger\msmsgs.exe" /background - this command has been left in place
--------------------
Value Name = Skype
Value Data = C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized - this command has been left in place
--------------------
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking for an active ScreenSaver:
ScreenSaver=C:\WINDOWS\System32\ssmypics.scr - this command has been left in place
--------------------
------------------------------
00:56:17: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Checking the StubPath calls in the Active Setup\Installed Components registry keys:
Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place
----------
Key=>{26923b43-4d38-484f-9b9e-de460746276c}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED}
StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place
----------
Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={7790769C-0471-11d2-AF11-00C04FA35D02}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4340}
StubPath=regsvr32.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4383}
StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place
----------
------------------------------
00:56:18: Scanning ----- NT/XP SERVICEDLL REGISTRY KEYS -----
Checking DLL files called from the NT/XP CurrentControlSet\Services Keys:
Key=Alerter
ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place
Key=AppMgmt
ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this reference has been left in place [file not found to scan]
Key=AudioSrv
ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place
Key=BITS
ServiceDLL=C:\WINDOWS\System32\qmgr.dll - this reference has been left in place
Key=Browser
ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place
Key=CryptSvc
ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place
Key=DcomLaunch
ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place
Key=Dhcp
ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place
Key=dmserver
ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place
Key=Dnscache
ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place
Key=ERSvc
ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place
Key=EventSystem
ServiceDLL=C:\WINDOWS\System32\es.dll - this reference has been left in place
Key=FastUserSwitchingCompatibility
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
Key=helpsvc
ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - this reference has been left in place
Key=HidServ
ServiceDLL=%SystemRoot%\System32\hidserv.dll - this reference has been left in place [file not found to scan]
Key=HTTPFilter
ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place
Key=lanmanserver
ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place
Key=lanmanworkstation
ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place
Key=LmHosts
ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place
Key=Messenger
ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place
Key=Netman
ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place
Key=Nla
ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place
Key=NtmsSvc
ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place
Key=RasAuto
ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place
Key=RasMan
ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place
Key=RemoteAccess
ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place
Key=RpcSs
ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place
Key=Schedule
ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place
Key=seclogon
ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place
Key=SENS
ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place
Key=SharedAccess
ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place
Key=ShellHWDetection
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
Key=srservice
ServiceDLL=C:\WINDOWS\System32\srsvc.dll - this reference has been left in place
Key=SSDPSRV
ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place
Key=stisvc
ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place
Key=TapiSrv
ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place
Key=TermService
ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place
Key=Themes
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
Key=TrkWks
ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place
Key=upnphost
ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place
Key=W32Time
ServiceDLL=C:\WINDOWS\System32\w32time.dll - this reference has been left in place
Key=WebClient
ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place
Key=winmgmt
ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place
Key=WmdmPmSN
ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place
Key=wscsvc
ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place
Key=wuauserv
ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place
Key=WZCSVC
ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place
Key=xmlprov
ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place
------------------------------
00:56:24: Scanning ----- NT/XP SERVICES REGISTRY KEYS -----
Checking files called from the NT/XP CurrentControlSet\Services Keys:
Key=ACPI
ImagePath=System32\DRIVERS\ACPI.sys - this reference has been left in place
----------
Key=aec
ImagePath=system32\drivers\aec.sys - this reference has been left in place
----------
Key=AFD
ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place
----------
Key=ALCXWDM
ImagePath=system32\drivers\ALCXWDM.SYS - this reference has been left in place
----------
Key=ALG
ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place
----------
Key=aswUpdSv
ImagePath="C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" - this reference has been left in place
----------
Key=AsyncMac
ImagePath=System32\DRIVERS\asyncmac.sys - this reference has been left in place
----------
Key=atapi
ImagePath=System32\DRIVERS\atapi.sys - this reference has been left in place
----------
Key=Atmarpc
ImagePath=System32\DRIVERS\atmarpc.sys - this reference has been left in place
----------
Key=audstub
ImagePath=System32\DRIVERS\audstub.sys - this reference has been left in place
----------
Key=avast! Antivirus
ImagePath="C:\Program Files\Alwil Software\Avast4\ashServ.exe" - this reference has been left in place
----------
Key=avast! Mail Scanner
ImagePath="C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service - this reference has been left in place
----------
Key=avast! Web Scanner
ImagePath="C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service - this reference has been left in place
----------
Key=Cdrom
ImagePath=System32\DRIVERS\cdrom.sys - this reference has been left in place
----------
Key=CiSvc
ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place
----------
Key=ClipSrv
ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place
----------
Key=COMSysApp
ImagePath=C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place
----------
Key=Crypkey License
ImagePath=crypserv.exe - this reference has been left in place
----------
Key=Disk
ImagePath=System32\DRIVERS\disk.sys - this reference has been left in place
----------
Key=dmadmin
ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place
----------
Key=dmboot
ImagePath=System32\drivers\dmboot.sys - this reference has been left in place
----------
Key=DMusic
ImagePath=system32\drivers\DMusic.sys - this reference has been left in place
----------
Key=drmkaud
ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place
----------
Key=Eventlog
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=ewido anti-spyware 4.0 driver
ImagePath=\??\C:\Program Files\ewido anti-spyware 4.0\guard.sys - this reference has been left in place
----------
Key=ewido anti-spyware 4.0 guard
ImagePath=C:\Program Files\ewido anti-spyware 4.0\guard.exe - this reference has been left in place
----------
Key=Fax
ImagePath=%systemroot%\system32\fxssvc.exe - this reference has been left in place
----------
Key=Fdc
ImagePath=System32\DRIVERS\fdc.sys - this reference has been left in place
----------
Key=Flpydisk
ImagePath=System32\DRIVERS\flpydisk.sys - this reference has been left in place
----------
Key=FltMgr
ImagePath=system32\drivers\fltmgr.sys - this reference has been left in place
----------
Key=Ftdisk
ImagePath=System32\DRIVERS\ftdisk.sys - this reference has been left in place
----------
Key=GhostStartService
ImagePath=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe - this reference has been left in place
----------
Key=GhPciScan
ImagePath=\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys - this reference has been left in place
----------
Key=Gpc
ImagePath=System32\DRIVERS\msgpc.sys - this reference has been left in place
----------
Key=HTTP
ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place
----------
Key=i8042prt
ImagePath=System32\DRIVERS\i8042prt.sys - this reference has been left in place
----------
Key=ialm
ImagePath=System32\DRIVERS\ialmnt5.sys - this reference has been left in place
----------
Key=Imapi
ImagePath=System32\DRIVERS\imapi.sys - this reference has been left in place
----------
Key=ImapiService
ImagePath=C:\WINDOWS\System32\imapi.exe - this reference has been left in place
----------
Key=IntelIde
ImagePath=System32\DRIVERS\intelide.sys - this reference has been left in place
----------
Key=intelppm
ImagePath=System32\DRIVERS\intelppm.sys - this reference has been left in place
----------
Key=ip6fw
ImagePath=system32\drivers\ip6fw.sys - this reference has been left in place
----------
Key=IpFilterDriver
ImagePath=System32\DRIVERS\ipfltdrv.sys - this reference has been left in place
----------
Key=IpInIp
ImagePath=System32\DRIVERS\ipinip.sys - this reference has been left in place
----------
Key=IpNat
ImagePath=System32\DRIVERS\ipnat.sys - this reference has been left in place
----------
Key=IPSec
ImagePath=System32\DRIVERS\ipsec.sys - this reference has been left in place
----------
Key=IRENUM
ImagePath=System32\DRIVERS\irenum.sys - this reference has been left in place
----------
Key=isapnp
ImagePath=System32\DRIVERS\isapnp.sys - this reference has been left in place
----------
Key=Kbdclass
ImagePath=System32\DRIVERS\kbdclass.sys - this reference has been left in place
----------
Key=kmixer
ImagePath=system32\drivers\kmixer.sys - this reference has been left in place
----------
Key=L8042pr2
ImagePath=System32\DRIVERS\L8042pr2.Sys - this reference has been left in place
----------
Key=LHidFlt2
ImagePath=System32\DRIVERS\LHidFlt2.Sys - this reference has been left in place
----------
Key=LHidUsb
ImagePath=System32\Drivers\LHidUsb.Sys - this reference has been left in place
----------
Key=LMouFlt2
ImagePath=System32\DRIVERS\LMouFlt2.Sys - this reference has been left in place
----------
Key=mnmsrvc
ImagePath=C:\WINDOWS\System32\mnmsrvc.exe - this reference has been left in place
----------
Key=Mouclass
ImagePath=System32\DRIVERS\mouclass.sys - this reference has been left in place
----------
Key=mouhid
ImagePath=System32\DRIVERS\mouhid.sys - this reference has been left in place
----------
Key=MRxDAV
ImagePath=System32\DRIVERS\mrxdav.sys - this reference has been left in place
----------
Key=MRxSmb
ImagePath=System32\DRIVERS\mrxsmb.sys - this reference has been left in place
----------
Key=MSDTC
ImagePath=C:\WINDOWS\System32\msdtc.exe - this reference has been left in place
----------
Key=MSIServer
ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place
----------
Key=MSKSSRV
ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place
----------
Key=MSPCLOCK
ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place
----------
Key=MSPQM
ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place
----------
Key=mssmbios
ImagePath=System32\DRIVERS\mssmbios.sys - this reference has been left in place
----------
Key=Mtlmnt5
ImagePath=System32\DRIVERS\Mtlmnt5.sys - this reference has been left in place
----------
Key=Mtlstrm
ImagePath=System32\DRIVERS\Mtlstrm.sys - this reference has been left in place
----------
Key=NdisTapi
ImagePath=System32\DRIVERS\ndistapi.sys - this reference has been left in place
----------
Key=Ndisuio
ImagePath=System32\DRIVERS\ndisuio.sys - this reference has been left in place
----------
Key=NdisWan
ImagePath=System32\DRIVERS\ndiswan.sys - this reference has been left in place
----------
Key=NetBIOS
ImagePath=System32\DRIVERS\netbios.sys - this reference has been left in place
----------
Key=NetBT
ImagePath=System32\DRIVERS\netbt.sys - this reference has been left in place
----------
Key=NetDDE
ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place
----------
Key=NetDDEdsdm
ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place
----------
Key=Netlogon
ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
----------
Key=NetworkX
ImagePath=\SystemRoot\system32\ckldrv.sys - this reference has been left in place
----------
Key=NtLmSsp
ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
----------
Key=NtMtlFax
ImagePath=System32\DRIVERS\NtMtlFax.sys - this reference has been left in place
----------
Key=NwlnkFlt
ImagePath=System32\DRIVERS\nwlnkflt.sys - this reference has been left in place
----------
Key=NwlnkFwd
ImagePath=System32\DRIVERS\nwlnkfwd.sys - this reference has been left in place
----------
Key=O&O Defrag
ImagePath=C:\WINDOWS\system32\oodag.exe - this reference has been left in place
----------
Key=Parport
ImagePath=System32\DRIVERS\parport.sys - this reference has been left in place
----------
Key=PCI
ImagePath=System32\DRIVERS\pci.sys - this reference has been left in place
----------
Key=PCIIde
ImagePath=System32\DRIVERS\pciide.sys - this reference has been left in place
----------
Key=Pcouffin
ImagePath=System32\Drivers\Pcouffin.sys - this reference has been left in place
----------
Key=PlugPlay
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=PolicyAgent
ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
----------
Key=PptpMiniport
ImagePath=System32\DRIVERS\raspptp.sys - this reference has been left in place
----------
Key=Processor
ImagePath=System32\DRIVERS\processr.sys - this reference has been left in place
----------
Key=ProtectedStorage
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=PSched
ImagePath=System32\DRIVERS\psched.sys - this reference has been left in place
----------
Key=Ptilink
ImagePath=System32\DRIVERS\ptilink.sys - this reference has been left in place
----------
Key=PxHelp20
ImagePath=System32\DRIVERS\PxHelp20.sys - this reference has been left in place
----------
Key=RasAcd
ImagePath=System32\DRIVERS\rasacd.sys - this reference has been left in place
----------
Key=Rasl2tp
ImagePath=System32\DRIVERS\rasl2tp.sys - this reference has been left in place
----------
Key=RasPppoe
ImagePath=System32\DRIVERS\raspppoe.sys - this reference has been left in place
----------
Key=Raspti
ImagePath=System32\DRIVERS\raspti.sys - this reference has been left in place
----------
Key=Rdbss
ImagePath=System32\DRIVERS\rdbss.sys - this reference has been left in place
----------
Key=RDPCDD
ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place
----------
Key=RDSessMgr
ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place
----------
Key=RecAgent
ImagePath=\??\C:\WINDOWS\System32\DRIVERS\RecAgent.sys - this reference has been left in place
----------
Key=redbook
ImagePath=System32\DRIVERS\redbook.sys - this reference has been left in place
----------
Key=RpcLocator
ImagePath=%SystemRoot%\System32\locator.exe - this reference has been left in place
----------
Key=RSVP
ImagePath=%SystemRoot%\System32\rsvp.exe - this reference has been left in place
----------
Key=rtl8139
ImagePath=System32\DRIVERS\R8139n51.SYS - this reference has been left in place
----------
Key=SamSs
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=SCardSvr
ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place
----------
Key=ScsiPort
ImagePath=%SystemRoot%\system32\drivers\scsiport.sys - this reference has been left in place
----------
Key=Secdrv
ImagePath=System32\DRIVERS\secdrv.sys - this reference has been left in place
----------
Key=serenum
ImagePath=System32\DRIVERS\serenum.sys - this reference has been left in place
----------
Key=Serial
ImagePath=System32\DRIVERS\serial.sys - this reference has been left in place
----------
Key=Slntamr
ImagePath=System32\DRIVERS\slntamr.sys - this reference has been left in place
----------
Key=SlNtHal
ImagePath=System32\DRIVERS\Slnthal.sys - this reference has been left in place
----------
Key=SLService
ImagePath=slserv.exe - this reference has been left in place
----------
Key=SlWdmSup
ImagePath=System32\DRIVERS\SlWdmSup.sys - this reference has been left in place
----------
Key=splitter
ImagePath=system32\drivers\splitter.sys - this reference has been left in place
----------
Key=Spooler
ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place
----------
Key=sr
ImagePath=System32\DRIVERS\sr.sys - this reference has been left in place
----------
Key=Srv
ImagePath=System32\DRIVERS\srv.sys - this reference has been left in place
----------
Key=swenum
ImagePath=System32\DRIVERS\swenum.sys - this reference has been left in place
----------
Key=swmidi
ImagePath=system32\drivers\swmidi.sys - this reference has been left in place
----------
Key=SwPrv
ImagePath=C:\WINDOWS\System32\dllhost.exe /Processid:{EE165A20-C9A7-4FF1-850E-85B60ED4D7BF} - this reference has been left in place
----------
Key=sysaudio
ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place
----------
Key=SysmonLog
ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place
----------
Key=Tcpip
ImagePath=System32\DRIVERS\tcpip.sys - this reference has been left in place
----------
Key=TermDD
ImagePath=System32\DRIVERS\termdd.sys - this reference has been left in place
----------
Key=UMWdf
ImagePath=C:\WINDOWS\system32\wdfmgr.exe - this reference has been left in place
----------
Key=Update
ImagePath=System32\DRIVERS\update.sys - this reference has been left in place
----------
Key=UPS
ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place
----------
Key=usbehci
ImagePath=System32\DRIVERS\usbehci.sys - this reference has been left in place
----------
Key=usbhub
ImagePath=System32\DRIVERS\usbhub.sys - this reference has been left in place
----------
Key=usbscan
ImagePath=System32\DRIVERS\usbscan.sys - this reference has been left in place
----------
Key=USBSTOR
ImagePath=System32\DRIVERS\USBSTOR.SYS - this reference has been left in place
----------
Key=usbuhci
ImagePath=System32\DRIVERS\usbuhci.sys - this reference has been left in place
----------
Key=VgaSave
ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place
----------
Key=VSS
ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place
----------
Key=Wanarp
ImagePath=System32\DRIVERS\wanarp.sys - this reference has been left in place
----------
Key=wdmaud
ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place
----------
Key=WinDefend
ImagePath="C:\Program Files\Windows Defender\MsMpEng.exe" - this reference has been left in place
----------
Key=WmiApSrv
ImagePath=C:\WINDOWS\System32\wbem\wmiapsrv.exe - this reference has been left in place
----------
Key={6080A529-897E-4629-A488-ABA0C29B635E}
ImagePath=system32\drivers\ialmsbw.sys - this reference has been left in place
----------
Key={D31A0762-0CEB-444e-ACFF-B049A1F6FE91}
ImagePath=system32\drivers\ialmkchw.sys - this reference has been left in place
----------
------------------------------
00:56:44: Scanning -----VXD ENTRIES-----
Checking the following VxD entries:
VxD Key = JAVASUP
Vxd = JAVASUP.VXD - this command has been left in place
---------
Checking VMM32 VxD files being loaded
------------------------------
00:56:44: Scanning ----- WINLOGON\NOTIFY DLLS -----
Checking DLLs called from the Winlogon\Notify key:
Key=crypt32chain
DLLName=crypt32.dll - this reference has been left in place
----------
Key=cryptnet
DLLName=cryptnet.dll - this reference has been left in place
----------
Key=cscdll
DLLName=cscdll.dll - this reference has been left in place
----------
Key=igfxcui
DLLName=igfxsrvc.dll - this reference has been left in place
----------
Key=jkkli
DLLName=C:\WINDOWS\system32\jkkli.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION)
DLLName=C:\WINDOWS\system32\jkkli.dll - this call has been removed
C:\WINDOWS\system32\jkkli.dll - has HIDDEN attribute set
C:\WINDOWS\system32\jkkli.dll - HIDDEN attribute removed
C:\WINDOWS\system32\jkkli.dll - has SYSTEM attribute set
C:\WINDOWS\system32\jkkli.dll - SYSTEM attribute removed
C:\WINDOWS\system32\jkkli.dll has been marked for renaming during PC restart
----------
Key=ScCertProp
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=Schedule
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=sclgntfy
DLLName=sclgntfy.dll - this reference has been left in place
----------
Key=SensLogn
DLLName=WlNotify.dll - this reference has been left in place
----------
Key=termsrv
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=WgaLogon
DLLName=WgaLogon.dll - this reference has been left in place
----------
Key=winrkq32
DLLName=winrkq32.dll - this reference has been left in place [file not found to scan]
----------
Key=wlballoon
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=WRNotifier
DLLName=WRLogonNTF.dll - this reference has been left in place [file not found to scan]
----------
------------------------------
00:57:53: Scanning ----- CONTEXTMENUHANDLERS -----
Key = avast
CLSID = {472083B0-C522-11CF-8763-00608CC02F24}
C:\Program Files\Alwil Software\Avast4\ashShell.dll - this ContextMenuHandler has been left in place
----------
Key = AVG Shell Extension
CLSID = {1E2CDF40-419B-11D2-A5A1-002018648BA7}
File = [CLSID does not appear to reference a file]
----------
Key = BriefcaseMenu
CLSID = {85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll - this ContextMenuHandler has been left in place
----------
Key = ewido anti-spyware
CLSID = {8934FCEF-F5B8-468f-951F-78A921CD3920}
C:\Program Files\ewido anti-spyware 4.0\context.dll - this ContextMenuHandler has been left in place
----------
Key = IZArcCM
CLSID = {8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}
C:\PROGRA~1\IZArc\IZArcCM.dll - this ContextMenuHandler has been left in place
----------
Key = Offline Files
CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03}
%SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place
----------
Key = Open With
CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
Key = Open With EncryptionMenu
CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
Key = Trojan Remover
CLSID = {52B87208-9CCF-42C9-B88E-069281105805}
C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place
----------
Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
------------------------------
00:57:55: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {24F14F01-7B1C-11d1-838f-0000F80461CF}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {24F14F02-7B1C-11d1-838f-0000F80461CF}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {66742402-F9B9-11D1-A202-0000F81FEDEE}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - this Folder\ColumnHandler has been left in place
----------
------------------------------
00:57:55: Scanning ----- BROWSER HELPER OBJECTS -----
Key = {02478D38-C3F9-4EFB-9B51-7695ECA05670}
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - this Browser Helper Object has been left in place
----------
Key = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - this Browser Helper Object has been left in place
----------
Key = {53707962-6F74-2D53-2644-206D7942484F}
C:\PROGRA~1\SPYBOT~1\SDHelper.dll - this Browser Helper Object has been left in place
----------
C:\WINDOWS\system32\jkkli.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION)
C:\WINDOWS\system32\jkkli.dll - this Browser Helper Object was being loaded by the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{61EF6ACA-27CC-41AC-9BF3-F53BF2D268B5} - this key has been removed
C:\WINDOWS\system32\jkkli.dll - this Browser Helper Object was referenced by the following key:
HKEY_CLASSES_ROOT\CLSID\{61EF6ACA-27CC-41AC-9BF3-F53BF2D268B5} - this key has been removed
C:\WINDOWS\system32\jkkli.dll has been marked for renaming during PC restart
----------
Key = {AA58ED58-01DD-4d91-8333-CF10577473F7}
c:\program files\google\googletoolbar2.dll - this Browser Helper Object has been left in place
----------
------------------------------
00:58:05: Scanning ----- SHELLSERVICEOBJECTS -----
Key = PostBootReminder
%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
----------
Key = CDBurn
%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
----------
Key = WebCheck
%SystemRoot%\System32\webcheck.dll - this ShellServiceObject has been left in place
----------
Key = SysTray
C:\WINDOWS\System32\stobject.dll - this ShellServiceObject has been left in place
----------
------------------------------
00:58:06: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1}
Comment = Pré-chargeur Browseui
File: %SystemRoot%\System32\browseui.dll - this SharedTaskScheduler entry has been left in place
----------
Value = {8C7461EF-2B13-11d2-BE35-3078302C2030}
Comment = Démon de cache des catégories de composant
File: %SystemRoot%\System32\browseui.dll - this SharedTaskScheduler entry has been left in place
----------
------------------------------
00:58:07: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.
------------------------------
00:58:07: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank
------------------------------
00:58:07: Scanning ------ COMMON STARTUP GROUP ------
The Common Startup Group attempts to load the following file(s) at boot time:
desktop.ini - this file is expected and has been left in place
------------------------------
No User Startup Groups were located to check
------------------------------
00:58:07: Scanning ----- SCHEDULED TASKS -----
------------------------------
00:58:07: ----- EXTRA REGISTRY CHECKS -----
72 subkeys checked - all ok.
--------------------
------------------------------
00:58:07: Scanning ------ DOWNLOADED PROGRAM FILES ------
The following files are located in the DOWNLOADED PROGRAM FILES directory:
C:\WINDOWS\Downloaded Program Files\asinst.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\asinst.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\bdcore.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\bdupd.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\desktop.ini - this file is expected and has been left in place
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd - this file has been left in place
C:\WINDOWS\Downloaded Program Files\erma.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\installer2.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\IPIXX.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\ipixx.ocx - this file has been left in place
C:\WINDOWS\Downloaded Program Files\ipsupd.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\iuctl.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\lang.ini - this file has been left in place
C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\libfn.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\live.ini - this file has been left in place
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd - this file has been left in place
C:\WINDOWS\Downloaded Program Files\oscan8.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\oscan8.ocx - this file has been left in place
C:\WINDOWS\Downloaded Program Files\oscan81.ocx_x - this file has been left in place
C:\WINDOWS\Downloaded Program Files\scanoptions.tsi - this file has been left in place
C:\WINDOWS\Downloaded Program Files\SpyMD.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\swflash.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\wmvadvd.inf - this file has been left in place
------------------------------
00:58:11: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file
------------------------------
00:58:11: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file
------------------------------
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
https://www.bing.com/?toHttps=1&redig=8F3F334EA60E4B1CB4D040DCFE393A89{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
https://www.bing.com/?toHttps=1&redig=8F3F334EA60E4B1CB4D040DCFE393A89{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":
https://www.google.fr/?gws_rd=ssl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
------------------------------
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
Scan completed at: 06/09/2006 00:58:11
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
06/09/2006 00:58:24: restart commenced
************************************************************
::Report end
Suite des aventures:
bonne nouvelle il semblerait que j'ai enfin réussi à me débarrasser de ce maudit trojan-1165.
j'ai uitlisé 2 softs dont on parle assez peu
- Ewido
- Trojan Remover
en version d'essai penda
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:03:51 04/09/2006
+ Scan result:
C:\Documents and Settings\Monique\Mes documents\Telechargement\programmes\FixMTU.exe -> Downloader.VB.afg : No action taken.
:mozilla.7:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.
:mozilla.8:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.
:mozilla.9:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.
***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
06/09/2006 01:02:03: Trojan Remover has been restarted
Trojan Remover forced a System Restart by terminating WINLOGON.EXE.
The Cleanup Utility was used to remove locked registry keys.
C:\WINDOWS\system32\jkkli.dll has been renamed to C:\WINDOWS\system32\jkkli.dl$
C:\WINDOWS\system32\jkkli.dll has been renamed to C:\WINDOWS\system32\jkkli.dl$
06/09/2006 01:02:03: Trojan Remover closed
************************************************************
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.5.2. For information, email simplysupsupport@aol.com
[Unregistered version]
Scan started at: 06/09/2006 00:56:11
Using Database v6610
Operating System: Windows XP Home Edition Service Pack 2 (Build 2600)
Using data directory: C:\Documents and Settings\All Users\Application Data\Trojan Remover\
--------------------------------------------------
00:56:11: ----------RUNNING PROCESSES-----------
C:\WINDOWS\System32\smss.exe
FileSize: 49 Kb
Company Name: Microsoft Corporation
File Description: Gestionnaire de session Windows NT
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: smss.exe
Copyright: © Microsoft Corporation. Tous droits réservés.
Original Filename: smss.exe
Product Name: Système d'exploitation Microsoft® Windows®
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\csrss.exe
FileSize: 6 Kb
Company Name: Microsoft Corporation
File Description: Client Server Runtime Process
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:09:52
Internal Name: CSRSS.Exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: CSRSS.Exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\winlogon.exe
FileSize: 494 Kb
Company Name: Microsoft Corporation
File Description: Application d'ouverture de session Windows NT
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:06
Internal Name: winlogon
Copyright: © Microsoft Corporation. Tous droits réservés.
Original Filename: WINLOGON.EXE
Product Name: Système d'exploitation Microsoft® Windows®
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\services.exe
FileSize: 106 Kb
Company Name: Microsoft Corporation
File Description: Applications Services et Contrôleur
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: services.exe
Copyright: © Microsoft Corporation. Tous droits réservés.
Original Filename: services.exe
Product Name: Système d'exploitation Microsoft® Windows®
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\lsass.exe
FileSize: 13 Kb
Company Name: Microsoft Corporation
File Description: LSA Shell (Export Version)
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:09:56
Internal Name: lsass.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: lsass.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\Program Files\Windows Defender\MsMpEng.exe
FileSize: 13 Kb
Company Name: Microsoft Corporation
File Description: Service Executable
File Version: 1.1.1347.0
Date Created: 03/04/2006 18:12:14
Last Modified: 03/04/2006 18:12:14
Internal Name: MsMpEng.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: MsMpEng.exe
Product Name: Windows Defender
Product Version: 1.1.1347.0
--------------------
C:\WINDOWS\System32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\System32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\System32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\spoolsv.exe
FileSize: 56 Kb
Company Name: Microsoft Corporation
File Description: Spooler SubSystem App
File Version: 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
Date Created: 30/08/2002 14:00:00
Last Modified: 11/06/2005 01:53:32
Internal Name: spoolsv.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: spoolsv.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2696
--------------------
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
FileSize: 57 Kb
Date Created: 19/02/2006 12:39:44
Last Modified: 05/08/2006 17:10:10
--------------------
C:\Program Files\Alwil Software\Avast4\ashServ.exe
FileSize: 105 Kb
File Description: avast! antivirus service
File Version: 4, 7, 844, 0
Date Created: 19/02/2006 12:39:44
Last Modified: 05/08/2006 08:23:06
Internal Name: aswServ
Copyright: Copyright (c) 2006 ALWIL Software
Original Filename: aswServ.exe
Product Name: avast! Antivirus
Product Version: 4, 7, 0, 0
--------------------
C:\WINDOWS\Explorer.EXE
FileSize: 1012 Kb
Company Name: Microsoft Corporation
File Description: Explorateur Windows
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:09:54
Internal Name: explorer
Copyright: © Microsoft Corporation. Tous droits réservés.
Original Filename: EXPLORER.EXE
Product Name: Système d'exploitation Microsoft® Windows®
Product Version: 6.00.2900.2180
--------------------
C:\WINDOWS\system32\crypserv.exe
FileSize: 51 Kb
Company Name: Kenonic Controls Ltd.
File Description: CrypKey NT Service
File Version: 5.4.0
Date Created: 18/06/2006 17:01:46
Last Modified: 29/06/2000 10:45:10
Internal Name: crypserv
Copyright: Copyright © 2000
Trademark: CrypKey
Original Filename: crypserv.exe
Product Name: CrypKey Software Licensing System
Product Version: 5.4
Special Build: Fixes short\long path problem
Comments: Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths
--------------------
C:\Program Files\ewido anti-spyware 4.0\guard.exe
FileSize: 168 Kb
Company Name: Anti-Malware Development a.s.
File Description: ewido anti-spyware guard
File Version: 4, 0, 0, 172
Date Created: 16/06/2006 16:38:44
Last Modified: 16/06/2006 16:38:44
Internal Name: ewido anti-spywareguard
Copyright: Copyright © 2005 Anti-Malware Development a.s.
Original Filename: guard.exe
Product Name: ewido anti-spyware
Product Version: 4, 0, 0, 172
Special Build: Ewido_2006_0616_163629(172), SVNRev 43094 (/trunk)
--------------------
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
FileSize: 196 Kb
Company Name: Symantec Corporation
File Description: Norton Ghost Start
File Version: 2003.793
Date Created: 17/12/2003 16:51:44
Last Modified: 17/12/2003 16:51:44
Internal Name: GhostStartService
Copyright: Copyright (C) 1998-2003 Symantec Corp. All rights reserved.
Original Filename: GhostStartService.exe
Product Name: Norton Ghost Start Service
Product Version: 2003.793
--------------------
C:\WINDOWS\system32\slserv.exe
FileSize: 44 Kb
Company Name:
File Description: User-Level Modem Service
File Version: 2.80.00(24Apr2000)
Date Created: 06/08/2003 04:17:17
Last Modified: 17/01/2003 03:02:38
Internal Name: slserv
Copyright: Copyright © 1999-2000
Trademark:
Original Filename: slserv.exe
Private Build:
Product Name: Modem
Product Version: 2.80.00
Special Build:
Comments:
--------------------
C:\WINDOWS\System32\svchost.exe
FileSize: 14 Kb
Company Name: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:10:04
Internal Name: svchost.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: svchost.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\system32\wdfmgr.exe
FileSize: 38 Kb
Company Name: Microsoft Corporation
File Description: Windows User Mode Driver Manager
File Version: 5.2.3790.1230 built by: DNSRV(bld4act)
Date Created: 10/08/2004 23:05:14
Last Modified: 10/08/2004 23:05:14
Internal Name: WdfMgr
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: WdfMgr.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.2.3790.1230
--------------------
C:\WINDOWS\System32\alg.exe
FileSize: 43 Kb
Company Name: Microsoft Corporation
File Description: Application Layer Gateway Service
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 30/08/2002 14:00:00
Last Modified: 19/08/2004 16:09:52
Internal Name: ALG.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: ALG.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
C:\WINDOWS\System32\hkcmd.exe
FileSize: 112 Kb
Company Name: Intel Corporation
File Description: hkcmd Module
File Version: 3,0,0,2104
Date Created: 06/08/2003 04:17:41
Last Modified: 07/04/2003 00:07:38
Internal Name: HKCMD
Copyright: Copyright 1999-2003, Intel Corporation
Original Filename: HKCMD.EXE
Product Name: Intel(R) Common User Interface
Product Version: 7,0,0,2104
--------------------
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
FileSize: 37 Kb
Company Name: Logitech Inc.
File Description: Logitech Events Handler Application
File Version: 9.76.046
Date Created: 18/11/2004 00:29:31
Last Modified: 19/03/2003 10:50:00
Internal Name: Em_Exec
Copyright: (C) 1987-2003 Logitech. All rights reserved.
Trademark: Logitech® and MouseWare® are registered trademarks of Logitech Inc.
Original Filename: Em_Exec.exe
Product Name: MouseWare
Product Version: 9.76.046
Comments: Created by the MouseWare team
--------------------
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
FileSize: 105 Kb
File Description: avast! service GUI component
File Version: 5, 0, 0, 0
Date Created: 19/02/2006 12:39:44
Last Modified: 05/08/2006 08:23:12
Internal Name: aswDisp
Copyright: Copyright (c) 2006 ALWIL Software
Original Filename: aswDisp.exe
Product Name: avast! Antivirus
Product Version: 5, 0, 0, 0
--------------------
C:\Program Files\Windows Defender\MSASCui.exe
FileSize: 759 Kb
Company Name: Microsoft Corporation
File Description: Windows Defender User Interface
File Version: 1.1.1347.0
Date Created: 03/04/2006 18:12:24
Last Modified: 03/04/2006 18:12:24
Internal Name: MSASCUI
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: MSASCUI.exe
Product Name: Windows Defender
Product Version: 1.1.1347.0
--------------------
C:\Program Files\Messenger\msmsgs.exe
FileSize: 1.62 Mb
Company Name: Microsoft Corporation
File Description: Windows Messenger
File Version: 4.7.3001
Date Created: 14/04/2003 21:05:50
Last Modified: 13/10/2004 18:24:38
Internal Name: msmsgs
Copyright: Copyright (c) Microsoft Corporation 2004
Trademark: Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
Original Filename: msmsgs.exe
Product Name: Messenger
Product Version: Version 4.7.3001
--------------------
C:\Documents and Settings\All Users\Application Data\Trojan Remover\cpc2D5.exe
FileSize: 1.58 Mb
[This is a Trojan Remover component]
--------------------
C:\Documents and Settings\All Users\Application Data\Trojan Remover\cpc2D5.exe
FileSize: 1.58 Mb
[This is a Trojan Remover component]
--------------------
C:\WINDOWS\system32\wscntfy.exe
FileSize: 13 Kb
Company Name: Microsoft Corporation
File Description: Windows Security Center Notification App
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Created: 25/05/2005 15:13:03
Last Modified: 19/08/2004 16:10:06
Internal Name: wscntfy.exe
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: wscntfy.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.2180
--------------------
Checking Registry exefile command for modifications
Checking Registry comfile command for modifications
Checking Registry piffile command for modifications
Checking Registry batfile command for modifications
Checking Registry regfile command for modifications
Checking Registry cmdfile command for modifications
Checking Registry scrfile command for modifications
------------------------------
00:56:16: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS
------------------------------
00:56:16: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS
------------------------------
00:56:16: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.
------------------------------
00:56:16: Scanning -----WINDOWS REGISTRY-----
Checking HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd
--------------------
Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Explorer.exe - this entry has been left in place
--------------------
This key's "Userinit" value calls the following program(s):
C:\WINDOWS\system32\userinit.exe - this entry has been left in place
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name = load
The Data Value for this entry appears to be blank
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = HotKeysCmds
Value Data = C:\WINDOWS\System32\hkcmd.exe - this command has been left in place
--------------------
Value Name = Logitech Utility
Value Data = Logi_MwX.Exe - this command has been left in place
--------------------
Value Name = avast!
Value Data = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - this command has been left in place
--------------------
Value Name = Windows Defender
Value Data = C:\Program Files\Windows Defender\MSASCui.exe" -hide - this command has been left in place
--------------------
Value Name = QuickTime Task
Value Data = C:\Program Files\QuickTime\qttask.exe" -atboottime - this command has been left in place
--------------------
Value Name = TrojanScanner
Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = MSMSGS
Value Data = C:\Program Files\Messenger\msmsgs.exe" /background - this command has been left in place
--------------------
Value Name = Skype
Value Data = C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized - this command has been left in place
--------------------
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking for an active ScreenSaver:
ScreenSaver=C:\WINDOWS\System32\ssmypics.scr - this command has been left in place
--------------------
------------------------------
00:56:17: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Checking the StubPath calls in the Active Setup\Installed Components registry keys:
Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place
----------
Key=>{26923b43-4d38-484f-9b9e-de460746276c}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED}
StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place
----------
Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={7790769C-0471-11d2-AF11-00C04FA35D02}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4340}
StubPath=regsvr32.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4383}
StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place
----------
------------------------------
00:56:18: Scanning ----- NT/XP SERVICEDLL REGISTRY KEYS -----
Checking DLL files called from the NT/XP CurrentControlSet\Services Keys:
Key=Alerter
ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place
Key=AppMgmt
ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this reference has been left in place [file not found to scan]
Key=AudioSrv
ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place
Key=BITS
ServiceDLL=C:\WINDOWS\System32\qmgr.dll - this reference has been left in place
Key=Browser
ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place
Key=CryptSvc
ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place
Key=DcomLaunch
ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place
Key=Dhcp
ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place
Key=dmserver
ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place
Key=Dnscache
ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place
Key=ERSvc
ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place
Key=EventSystem
ServiceDLL=C:\WINDOWS\System32\es.dll - this reference has been left in place
Key=FastUserSwitchingCompatibility
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
Key=helpsvc
ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - this reference has been left in place
Key=HidServ
ServiceDLL=%SystemRoot%\System32\hidserv.dll - this reference has been left in place [file not found to scan]
Key=HTTPFilter
ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place
Key=lanmanserver
ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place
Key=lanmanworkstation
ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place
Key=LmHosts
ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place
Key=Messenger
ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place
Key=Netman
ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place
Key=Nla
ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place
Key=NtmsSvc
ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place
Key=RasAuto
ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place
Key=RasMan
ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place
Key=RemoteAccess
ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place
Key=RpcSs
ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place
Key=Schedule
ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place
Key=seclogon
ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place
Key=SENS
ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place
Key=SharedAccess
ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place
Key=ShellHWDetection
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
Key=srservice
ServiceDLL=C:\WINDOWS\System32\srsvc.dll - this reference has been left in place
Key=SSDPSRV
ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place
Key=stisvc
ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place
Key=TapiSrv
ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place
Key=TermService
ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place
Key=Themes
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
Key=TrkWks
ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place
Key=upnphost
ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place
Key=W32Time
ServiceDLL=C:\WINDOWS\System32\w32time.dll - this reference has been left in place
Key=WebClient
ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place
Key=winmgmt
ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place
Key=WmdmPmSN
ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place
Key=wscsvc
ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place
Key=wuauserv
ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place
Key=WZCSVC
ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place
Key=xmlprov
ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place
------------------------------
00:56:24: Scanning ----- NT/XP SERVICES REGISTRY KEYS -----
Checking files called from the NT/XP CurrentControlSet\Services Keys:
Key=ACPI
ImagePath=System32\DRIVERS\ACPI.sys - this reference has been left in place
----------
Key=aec
ImagePath=system32\drivers\aec.sys - this reference has been left in place
----------
Key=AFD
ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place
----------
Key=ALCXWDM
ImagePath=system32\drivers\ALCXWDM.SYS - this reference has been left in place
----------
Key=ALG
ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place
----------
Key=aswUpdSv
ImagePath="C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" - this reference has been left in place
----------
Key=AsyncMac
ImagePath=System32\DRIVERS\asyncmac.sys - this reference has been left in place
----------
Key=atapi
ImagePath=System32\DRIVERS\atapi.sys - this reference has been left in place
----------
Key=Atmarpc
ImagePath=System32\DRIVERS\atmarpc.sys - this reference has been left in place
----------
Key=audstub
ImagePath=System32\DRIVERS\audstub.sys - this reference has been left in place
----------
Key=avast! Antivirus
ImagePath="C:\Program Files\Alwil Software\Avast4\ashServ.exe" - this reference has been left in place
----------
Key=avast! Mail Scanner
ImagePath="C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service - this reference has been left in place
----------
Key=avast! Web Scanner
ImagePath="C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service - this reference has been left in place
----------
Key=Cdrom
ImagePath=System32\DRIVERS\cdrom.sys - this reference has been left in place
----------
Key=CiSvc
ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place
----------
Key=ClipSrv
ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place
----------
Key=COMSysApp
ImagePath=C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place
----------
Key=Crypkey License
ImagePath=crypserv.exe - this reference has been left in place
----------
Key=Disk
ImagePath=System32\DRIVERS\disk.sys - this reference has been left in place
----------
Key=dmadmin
ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place
----------
Key=dmboot
ImagePath=System32\drivers\dmboot.sys - this reference has been left in place
----------
Key=DMusic
ImagePath=system32\drivers\DMusic.sys - this reference has been left in place
----------
Key=drmkaud
ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place
----------
Key=Eventlog
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=ewido anti-spyware 4.0 driver
ImagePath=\??\C:\Program Files\ewido anti-spyware 4.0\guard.sys - this reference has been left in place
----------
Key=ewido anti-spyware 4.0 guard
ImagePath=C:\Program Files\ewido anti-spyware 4.0\guard.exe - this reference has been left in place
----------
Key=Fax
ImagePath=%systemroot%\system32\fxssvc.exe - this reference has been left in place
----------
Key=Fdc
ImagePath=System32\DRIVERS\fdc.sys - this reference has been left in place
----------
Key=Flpydisk
ImagePath=System32\DRIVERS\flpydisk.sys - this reference has been left in place
----------
Key=FltMgr
ImagePath=system32\drivers\fltmgr.sys - this reference has been left in place
----------
Key=Ftdisk
ImagePath=System32\DRIVERS\ftdisk.sys - this reference has been left in place
----------
Key=GhostStartService
ImagePath=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe - this reference has been left in place
----------
Key=GhPciScan
ImagePath=\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys - this reference has been left in place
----------
Key=Gpc
ImagePath=System32\DRIVERS\msgpc.sys - this reference has been left in place
----------
Key=HTTP
ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place
----------
Key=i8042prt
ImagePath=System32\DRIVERS\i8042prt.sys - this reference has been left in place
----------
Key=ialm
ImagePath=System32\DRIVERS\ialmnt5.sys - this reference has been left in place
----------
Key=Imapi
ImagePath=System32\DRIVERS\imapi.sys - this reference has been left in place
----------
Key=ImapiService
ImagePath=C:\WINDOWS\System32\imapi.exe - this reference has been left in place
----------
Key=IntelIde
ImagePath=System32\DRIVERS\intelide.sys - this reference has been left in place
----------
Key=intelppm
ImagePath=System32\DRIVERS\intelppm.sys - this reference has been left in place
----------
Key=ip6fw
ImagePath=system32\drivers\ip6fw.sys - this reference has been left in place
----------
Key=IpFilterDriver
ImagePath=System32\DRIVERS\ipfltdrv.sys - this reference has been left in place
----------
Key=IpInIp
ImagePath=System32\DRIVERS\ipinip.sys - this reference has been left in place
----------
Key=IpNat
ImagePath=System32\DRIVERS\ipnat.sys - this reference has been left in place
----------
Key=IPSec
ImagePath=System32\DRIVERS\ipsec.sys - this reference has been left in place
----------
Key=IRENUM
ImagePath=System32\DRIVERS\irenum.sys - this reference has been left in place
----------
Key=isapnp
ImagePath=System32\DRIVERS\isapnp.sys - this reference has been left in place
----------
Key=Kbdclass
ImagePath=System32\DRIVERS\kbdclass.sys - this reference has been left in place
----------
Key=kmixer
ImagePath=system32\drivers\kmixer.sys - this reference has been left in place
----------
Key=L8042pr2
ImagePath=System32\DRIVERS\L8042pr2.Sys - this reference has been left in place
----------
Key=LHidFlt2
ImagePath=System32\DRIVERS\LHidFlt2.Sys - this reference has been left in place
----------
Key=LHidUsb
ImagePath=System32\Drivers\LHidUsb.Sys - this reference has been left in place
----------
Key=LMouFlt2
ImagePath=System32\DRIVERS\LMouFlt2.Sys - this reference has been left in place
----------
Key=mnmsrvc
ImagePath=C:\WINDOWS\System32\mnmsrvc.exe - this reference has been left in place
----------
Key=Mouclass
ImagePath=System32\DRIVERS\mouclass.sys - this reference has been left in place
----------
Key=mouhid
ImagePath=System32\DRIVERS\mouhid.sys - this reference has been left in place
----------
Key=MRxDAV
ImagePath=System32\DRIVERS\mrxdav.sys - this reference has been left in place
----------
Key=MRxSmb
ImagePath=System32\DRIVERS\mrxsmb.sys - this reference has been left in place
----------
Key=MSDTC
ImagePath=C:\WINDOWS\System32\msdtc.exe - this reference has been left in place
----------
Key=MSIServer
ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place
----------
Key=MSKSSRV
ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place
----------
Key=MSPCLOCK
ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place
----------
Key=MSPQM
ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place
----------
Key=mssmbios
ImagePath=System32\DRIVERS\mssmbios.sys - this reference has been left in place
----------
Key=Mtlmnt5
ImagePath=System32\DRIVERS\Mtlmnt5.sys - this reference has been left in place
----------
Key=Mtlstrm
ImagePath=System32\DRIVERS\Mtlstrm.sys - this reference has been left in place
----------
Key=NdisTapi
ImagePath=System32\DRIVERS\ndistapi.sys - this reference has been left in place
----------
Key=Ndisuio
ImagePath=System32\DRIVERS\ndisuio.sys - this reference has been left in place
----------
Key=NdisWan
ImagePath=System32\DRIVERS\ndiswan.sys - this reference has been left in place
----------
Key=NetBIOS
ImagePath=System32\DRIVERS\netbios.sys - this reference has been left in place
----------
Key=NetBT
ImagePath=System32\DRIVERS\netbt.sys - this reference has been left in place
----------
Key=NetDDE
ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place
----------
Key=NetDDEdsdm
ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place
----------
Key=Netlogon
ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
----------
Key=NetworkX
ImagePath=\SystemRoot\system32\ckldrv.sys - this reference has been left in place
----------
Key=NtLmSsp
ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
----------
Key=NtMtlFax
ImagePath=System32\DRIVERS\NtMtlFax.sys - this reference has been left in place
----------
Key=NwlnkFlt
ImagePath=System32\DRIVERS\nwlnkflt.sys - this reference has been left in place
----------
Key=NwlnkFwd
ImagePath=System32\DRIVERS\nwlnkfwd.sys - this reference has been left in place
----------
Key=O&O Defrag
ImagePath=C:\WINDOWS\system32\oodag.exe - this reference has been left in place
----------
Key=Parport
ImagePath=System32\DRIVERS\parport.sys - this reference has been left in place
----------
Key=PCI
ImagePath=System32\DRIVERS\pci.sys - this reference has been left in place
----------
Key=PCIIde
ImagePath=System32\DRIVERS\pciide.sys - this reference has been left in place
----------
Key=Pcouffin
ImagePath=System32\Drivers\Pcouffin.sys - this reference has been left in place
----------
Key=PlugPlay
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=PolicyAgent
ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
----------
Key=PptpMiniport
ImagePath=System32\DRIVERS\raspptp.sys - this reference has been left in place
----------
Key=Processor
ImagePath=System32\DRIVERS\processr.sys - this reference has been left in place
----------
Key=ProtectedStorage
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=PSched
ImagePath=System32\DRIVERS\psched.sys - this reference has been left in place
----------
Key=Ptilink
ImagePath=System32\DRIVERS\ptilink.sys - this reference has been left in place
----------
Key=PxHelp20
ImagePath=System32\DRIVERS\PxHelp20.sys - this reference has been left in place
----------
Key=RasAcd
ImagePath=System32\DRIVERS\rasacd.sys - this reference has been left in place
----------
Key=Rasl2tp
ImagePath=System32\DRIVERS\rasl2tp.sys - this reference has been left in place
----------
Key=RasPppoe
ImagePath=System32\DRIVERS\raspppoe.sys - this reference has been left in place
----------
Key=Raspti
ImagePath=System32\DRIVERS\raspti.sys - this reference has been left in place
----------
Key=Rdbss
ImagePath=System32\DRIVERS\rdbss.sys - this reference has been left in place
----------
Key=RDPCDD
ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place
----------
Key=RDSessMgr
ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place
----------
Key=RecAgent
ImagePath=\??\C:\WINDOWS\System32\DRIVERS\RecAgent.sys - this reference has been left in place
----------
Key=redbook
ImagePath=System32\DRIVERS\redbook.sys - this reference has been left in place
----------
Key=RpcLocator
ImagePath=%SystemRoot%\System32\locator.exe - this reference has been left in place
----------
Key=RSVP
ImagePath=%SystemRoot%\System32\rsvp.exe - this reference has been left in place
----------
Key=rtl8139
ImagePath=System32\DRIVERS\R8139n51.SYS - this reference has been left in place
----------
Key=SamSs
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=SCardSvr
ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place
----------
Key=ScsiPort
ImagePath=%SystemRoot%\system32\drivers\scsiport.sys - this reference has been left in place
----------
Key=Secdrv
ImagePath=System32\DRIVERS\secdrv.sys - this reference has been left in place
----------
Key=serenum
ImagePath=System32\DRIVERS\serenum.sys - this reference has been left in place
----------
Key=Serial
ImagePath=System32\DRIVERS\serial.sys - this reference has been left in place
----------
Key=Slntamr
ImagePath=System32\DRIVERS\slntamr.sys - this reference has been left in place
----------
Key=SlNtHal
ImagePath=System32\DRIVERS\Slnthal.sys - this reference has been left in place
----------
Key=SLService
ImagePath=slserv.exe - this reference has been left in place
----------
Key=SlWdmSup
ImagePath=System32\DRIVERS\SlWdmSup.sys - this reference has been left in place
----------
Key=splitter
ImagePath=system32\drivers\splitter.sys - this reference has been left in place
----------
Key=Spooler
ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place
----------
Key=sr
ImagePath=System32\DRIVERS\sr.sys - this reference has been left in place
----------
Key=Srv
ImagePath=System32\DRIVERS\srv.sys - this reference has been left in place
----------
Key=swenum
ImagePath=System32\DRIVERS\swenum.sys - this reference has been left in place
----------
Key=swmidi
ImagePath=system32\drivers\swmidi.sys - this reference has been left in place
----------
Key=SwPrv
ImagePath=C:\WINDOWS\System32\dllhost.exe /Processid:{EE165A20-C9A7-4FF1-850E-85B60ED4D7BF} - this reference has been left in place
----------
Key=sysaudio
ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place
----------
Key=SysmonLog
ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place
----------
Key=Tcpip
ImagePath=System32\DRIVERS\tcpip.sys - this reference has been left in place
----------
Key=TermDD
ImagePath=System32\DRIVERS\termdd.sys - this reference has been left in place
----------
Key=UMWdf
ImagePath=C:\WINDOWS\system32\wdfmgr.exe - this reference has been left in place
----------
Key=Update
ImagePath=System32\DRIVERS\update.sys - this reference has been left in place
----------
Key=UPS
ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place
----------
Key=usbehci
ImagePath=System32\DRIVERS\usbehci.sys - this reference has been left in place
----------
Key=usbhub
ImagePath=System32\DRIVERS\usbhub.sys - this reference has been left in place
----------
Key=usbscan
ImagePath=System32\DRIVERS\usbscan.sys - this reference has been left in place
----------
Key=USBSTOR
ImagePath=System32\DRIVERS\USBSTOR.SYS - this reference has been left in place
----------
Key=usbuhci
ImagePath=System32\DRIVERS\usbuhci.sys - this reference has been left in place
----------
Key=VgaSave
ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place
----------
Key=VSS
ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place
----------
Key=Wanarp
ImagePath=System32\DRIVERS\wanarp.sys - this reference has been left in place
----------
Key=wdmaud
ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place
----------
Key=WinDefend
ImagePath="C:\Program Files\Windows Defender\MsMpEng.exe" - this reference has been left in place
----------
Key=WmiApSrv
ImagePath=C:\WINDOWS\System32\wbem\wmiapsrv.exe - this reference has been left in place
----------
Key={6080A529-897E-4629-A488-ABA0C29B635E}
ImagePath=system32\drivers\ialmsbw.sys - this reference has been left in place
----------
Key={D31A0762-0CEB-444e-ACFF-B049A1F6FE91}
ImagePath=system32\drivers\ialmkchw.sys - this reference has been left in place
----------
------------------------------
00:56:44: Scanning -----VXD ENTRIES-----
Checking the following VxD entries:
VxD Key = JAVASUP
Vxd = JAVASUP.VXD - this command has been left in place
---------
Checking VMM32 VxD files being loaded
------------------------------
00:56:44: Scanning ----- WINLOGON\NOTIFY DLLS -----
Checking DLLs called from the Winlogon\Notify key:
Key=crypt32chain
DLLName=crypt32.dll - this reference has been left in place
----------
Key=cryptnet
DLLName=cryptnet.dll - this reference has been left in place
----------
Key=cscdll
DLLName=cscdll.dll - this reference has been left in place
----------
Key=igfxcui
DLLName=igfxsrvc.dll - this reference has been left in place
----------
Key=jkkli
DLLName=C:\WINDOWS\system32\jkkli.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION)
DLLName=C:\WINDOWS\system32\jkkli.dll - this call has been removed
C:\WINDOWS\system32\jkkli.dll - has HIDDEN attribute set
C:\WINDOWS\system32\jkkli.dll - HIDDEN attribute removed
C:\WINDOWS\system32\jkkli.dll - has SYSTEM attribute set
C:\WINDOWS\system32\jkkli.dll - SYSTEM attribute removed
C:\WINDOWS\system32\jkkli.dll has been marked for renaming during PC restart
----------
Key=ScCertProp
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=Schedule
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=sclgntfy
DLLName=sclgntfy.dll - this reference has been left in place
----------
Key=SensLogn
DLLName=WlNotify.dll - this reference has been left in place
----------
Key=termsrv
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=WgaLogon
DLLName=WgaLogon.dll - this reference has been left in place
----------
Key=winrkq32
DLLName=winrkq32.dll - this reference has been left in place [file not found to scan]
----------
Key=wlballoon
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=WRNotifier
DLLName=WRLogonNTF.dll - this reference has been left in place [file not found to scan]
----------
------------------------------
00:57:53: Scanning ----- CONTEXTMENUHANDLERS -----
Key = avast
CLSID = {472083B0-C522-11CF-8763-00608CC02F24}
C:\Program Files\Alwil Software\Avast4\ashShell.dll - this ContextMenuHandler has been left in place
----------
Key = AVG Shell Extension
CLSID = {1E2CDF40-419B-11D2-A5A1-002018648BA7}
File = [CLSID does not appear to reference a file]
----------
Key = BriefcaseMenu
CLSID = {85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll - this ContextMenuHandler has been left in place
----------
Key = ewido anti-spyware
CLSID = {8934FCEF-F5B8-468f-951F-78A921CD3920}
C:\Program Files\ewido anti-spyware 4.0\context.dll - this ContextMenuHandler has been left in place
----------
Key = IZArcCM
CLSID = {8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}
C:\PROGRA~1\IZArc\IZArcCM.dll - this ContextMenuHandler has been left in place
----------
Key = Offline Files
CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03}
%SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place
----------
Key = Open With
CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
Key = Open With EncryptionMenu
CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
Key = Trojan Remover
CLSID = {52B87208-9CCF-42C9-B88E-069281105805}
C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place
----------
Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
------------------------------
00:57:55: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {24F14F01-7B1C-11d1-838f-0000F80461CF}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {24F14F02-7B1C-11d1-838f-0000F80461CF}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {66742402-F9B9-11D1-A202-0000F81FEDEE}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - this Folder\ColumnHandler has been left in place
----------
------------------------------
00:57:55: Scanning ----- BROWSER HELPER OBJECTS -----
Key = {02478D38-C3F9-4EFB-9B51-7695ECA05670}
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - this Browser Helper Object has been left in place
----------
Key = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - this Browser Helper Object has been left in place
----------
Key = {53707962-6F74-2D53-2644-206D7942484F}
C:\PROGRA~1\SPYBOT~1\SDHelper.dll - this Browser Helper Object has been left in place
----------
C:\WINDOWS\system32\jkkli.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION)
C:\WINDOWS\system32\jkkli.dll - this Browser Helper Object was being loaded by the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{61EF6ACA-27CC-41AC-9BF3-F53BF2D268B5} - this key has been removed
C:\WINDOWS\system32\jkkli.dll - this Browser Helper Object was referenced by the following key:
HKEY_CLASSES_ROOT\CLSID\{61EF6ACA-27CC-41AC-9BF3-F53BF2D268B5} - this key has been removed
C:\WINDOWS\system32\jkkli.dll has been marked for renaming during PC restart
----------
Key = {AA58ED58-01DD-4d91-8333-CF10577473F7}
c:\program files\google\googletoolbar2.dll - this Browser Helper Object has been left in place
----------
------------------------------
00:58:05: Scanning ----- SHELLSERVICEOBJECTS -----
Key = PostBootReminder
%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
----------
Key = CDBurn
%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
----------
Key = WebCheck
%SystemRoot%\System32\webcheck.dll - this ShellServiceObject has been left in place
----------
Key = SysTray
C:\WINDOWS\System32\stobject.dll - this ShellServiceObject has been left in place
----------
------------------------------
00:58:06: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1}
Comment = Pré-chargeur Browseui
File: %SystemRoot%\System32\browseui.dll - this SharedTaskScheduler entry has been left in place
----------
Value = {8C7461EF-2B13-11d2-BE35-3078302C2030}
Comment = Démon de cache des catégories de composant
File: %SystemRoot%\System32\browseui.dll - this SharedTaskScheduler entry has been left in place
----------
------------------------------
00:58:07: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.
------------------------------
00:58:07: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank
------------------------------
00:58:07: Scanning ------ COMMON STARTUP GROUP ------
The Common Startup Group attempts to load the following file(s) at boot time:
desktop.ini - this file is expected and has been left in place
------------------------------
No User Startup Groups were located to check
------------------------------
00:58:07: Scanning ----- SCHEDULED TASKS -----
------------------------------
00:58:07: ----- EXTRA REGISTRY CHECKS -----
72 subkeys checked - all ok.
--------------------
------------------------------
00:58:07: Scanning ------ DOWNLOADED PROGRAM FILES ------
The following files are located in the DOWNLOADED PROGRAM FILES directory:
C:\WINDOWS\Downloaded Program Files\asinst.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\asinst.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\bdcore.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\bdupd.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\desktop.ini - this file is expected and has been left in place
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd - this file has been left in place
C:\WINDOWS\Downloaded Program Files\erma.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\installer2.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\IPIXX.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\ipixx.ocx - this file has been left in place
C:\WINDOWS\Downloaded Program Files\ipsupd.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\iuctl.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\lang.ini - this file has been left in place
C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\libfn.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\live.ini - this file has been left in place
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd - this file has been left in place
C:\WINDOWS\Downloaded Program Files\oscan8.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\oscan8.ocx - this file has been left in place
C:\WINDOWS\Downloaded Program Files\oscan81.ocx_x - this file has been left in place
C:\WINDOWS\Downloaded Program Files\scanoptions.tsi - this file has been left in place
C:\WINDOWS\Downloaded Program Files\SpyMD.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\swflash.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\wmvadvd.inf - this file has been left in place
------------------------------
00:58:11: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file
------------------------------
00:58:11: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file
------------------------------
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
https://www.bing.com/?toHttps=1&redig=8F3F334EA60E4B1CB4D040DCFE393A89{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
https://www.bing.com/?toHttps=1&redig=8F3F334EA60E4B1CB4D040DCFE393A89{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":
https://www.google.fr/?gws_rd=ssl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
------------------------------
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
Scan completed at: 06/09/2006 00:58:11
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
06/09/2006 00:58:24: restart commenced
************************************************************
::Report end
