[trojan-1165] s'incruste

pipoza Messages postés 16 Statut Membre -  
Séb08 Messages postés 18169 Date d'inscription   Statut Contributeur Dernière intervention   -
Bonjour,
avast 4.7 dédecte à chaque mise en route le troyen-1165.
Localisé dans dossier temp: nom de virus aléatoire qui change à chaque fois.
Suppression, quarantaine: rien n'y fait.

J'ai passé(plusieurs fois):

Avast (scan au démarrage)
Ad aware SE à jour
Spybot SD 1.4
Ccleaner 1.32
Cleanup40
SmitFraudFix (mode ss échec, restauration désactivée)

Rien n'y fait
Le troyen est toujours là à chaque nouveau démarrage!

Logfile of HijackThis v1.99.1
Scan saved at 11:33:43, on 04/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration977.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09CC593B-E8A9-4491-927D-A3E33534DDD4} (InstallerObj Class) - http://m6video.m6.fr/1click/install/files/installer2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Y t'il une solution?
Merci d'avance à toutes et à tous.
--
if it ain't broken, don't fix it !
Configuration: Fujitsu Siemens
celeron 2.4 Ghz
512 Mo ram
xp sp2 familial (à jour)

3 réponses

  1. Utilisateur anonyme
     
    Salut

    fait ceci:

    Fais ce nettoyage: (à faire réguliérement)

    ¤Telecharges et installes ceci:
    CCleaner:
    Ccleaner

    dans la colonne de gauche clic sur "erreurs" coches toutes les cases, puis cliques en bas sur "chercher des erreurs" une fois finit, cliques sur "reparer les erreurs" et tu aura un message pour sauvegarder ta base de registre tu dis "oui" puis tu recommences jusqu'a ce qu'il te trouve plus d'erreurs.
    Les sauvegardes que tu aura faites tu pourra les supprimer si ton ordinateur n'a plus de problémes

    ¤Relance Ccleaner, vas dans l'onglet "nettoyeur" present sur la gauche, decoches la derniere case (Avancé si elle est cochée) puis clic sur "lancer le nettoyage"

    Telecharge, installe puis mets à jour ce logiciel(Ewido), une fois que c'est fait, fais un scan complet de ton système et colle le rapport ici
    Ewido: (reste gratuit après la période d'essai)
    Télécharger Ewido Security Suite

    Puis

    Fait ce scan anti-virus en ligne avec Internet Explorer, accepte l'active X; la barre anti-popup du SP (en haut) va se mettre à clignoter, clic dessus et choisis "accepter l'active X" pour faire fonctionner le scan anti-virus.
    Une fois qu'il a terminé colle le rapport ici stp

    https://www.bitdefender.com/toolbox/
    0
  2. pipoza Messages postés 16 Statut Membre
     
    Bonsoir,

    Suite des aventures:
    bonne nouvelle il semblerait que j'ai enfin réussi à me débarrasser de ce maudit trojan-1165.

    j'ai uitlisé 2 softs dont on parle assez peu
    - Ewido
    - Trojan Remover
    en version d'essai penda

    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 15:03:51 04/09/2006

    + Scan result:

    C:\Documents and Settings\Monique\Mes documents\Telechargement\programmes\FixMTU.exe -> Downloader.VB.afg : No action taken.
    :mozilla.7:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.
    :mozilla.8:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.
    :mozilla.9:C:\Documents and Settings\Monique\Application Data\Mozilla\Firefox\Profiles\uuwx0iby.default\cookies.txt -> TrackingCookie.Smartadserver : No action taken.

    ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
    06/09/2006 01:02:03: Trojan Remover has been restarted
    Trojan Remover forced a System Restart by terminating WINLOGON.EXE.
    The Cleanup Utility was used to remove locked registry keys.
    C:\WINDOWS\system32\jkkli.dll has been renamed to C:\WINDOWS\system32\jkkli.dl$
    C:\WINDOWS\system32\jkkli.dll has been renamed to C:\WINDOWS\system32\jkkli.dl$
    06/09/2006 01:02:03: Trojan Remover closed
    ************************************************************

    ***** NORMAL SCAN FOR ACTIVE MALWARE *****
    Trojan Remover Ver 6.5.2. For information, email simplysupsupport@aol.com
    [Unregistered version]
    Scan started at: 06/09/2006 00:56:11
    Using Database v6610
    Operating System: Windows XP Home Edition Service Pack 2 (Build 2600)
    Using data directory: C:\Documents and Settings\All Users\Application Data\Trojan Remover\
    --------------------------------------------------
    00:56:11: ----------RUNNING PROCESSES-----------
    C:\WINDOWS\System32\smss.exe
    FileSize: 49 Kb
    Company Name: Microsoft Corporation
    File Description: Gestionnaire de session Windows NT
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:04
    Internal Name: smss.exe
    Copyright: © Microsoft Corporation. Tous droits réservés.
    Original Filename: smss.exe
    Product Name: Système d'exploitation Microsoft® Windows®
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\system32\csrss.exe
    FileSize: 6 Kb
    Company Name: Microsoft Corporation
    File Description: Client Server Runtime Process
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:09:52
    Internal Name: CSRSS.Exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: CSRSS.Exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\system32\winlogon.exe
    FileSize: 494 Kb
    Company Name: Microsoft Corporation
    File Description: Application d'ouverture de session Windows NT
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:06
    Internal Name: winlogon
    Copyright: © Microsoft Corporation. Tous droits réservés.
    Original Filename: WINLOGON.EXE
    Product Name: Système d'exploitation Microsoft® Windows®
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\system32\services.exe
    FileSize: 106 Kb
    Company Name: Microsoft Corporation
    File Description: Applications Services et Contrôleur
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:04
    Internal Name: services.exe
    Copyright: © Microsoft Corporation. Tous droits réservés.
    Original Filename: services.exe
    Product Name: Système d'exploitation Microsoft® Windows®
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\system32\lsass.exe
    FileSize: 13 Kb
    Company Name: Microsoft Corporation
    File Description: LSA Shell (Export Version)
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:09:56
    Internal Name: lsass.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: lsass.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\system32\svchost.exe
    FileSize: 14 Kb
    Company Name: Microsoft Corporation
    File Description: Generic Host Process for Win32 Services
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:04
    Internal Name: svchost.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: svchost.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\system32\svchost.exe
    FileSize: 14 Kb
    Company Name: Microsoft Corporation
    File Description: Generic Host Process for Win32 Services
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:04
    Internal Name: svchost.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: svchost.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\Program Files\Windows Defender\MsMpEng.exe
    FileSize: 13 Kb
    Company Name: Microsoft Corporation
    File Description: Service Executable
    File Version: 1.1.1347.0
    Date Created: 03/04/2006 18:12:14
    Last Modified: 03/04/2006 18:12:14
    Internal Name: MsMpEng.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: MsMpEng.exe
    Product Name: Windows Defender
    Product Version: 1.1.1347.0
    --------------------
    C:\WINDOWS\System32\svchost.exe
    FileSize: 14 Kb
    Company Name: Microsoft Corporation
    File Description: Generic Host Process for Win32 Services
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:04
    Internal Name: svchost.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: svchost.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\System32\svchost.exe
    FileSize: 14 Kb
    Company Name: Microsoft Corporation
    File Description: Generic Host Process for Win32 Services
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:04
    Internal Name: svchost.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: svchost.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\System32\svchost.exe
    FileSize: 14 Kb
    Company Name: Microsoft Corporation
    File Description: Generic Host Process for Win32 Services
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:04
    Internal Name: svchost.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: svchost.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\system32\spoolsv.exe
    FileSize: 56 Kb
    Company Name: Microsoft Corporation
    File Description: Spooler SubSystem App
    File Version: 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 11/06/2005 01:53:32
    Internal Name: spoolsv.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: spoolsv.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2696
    --------------------
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    FileSize: 57 Kb
    Date Created: 19/02/2006 12:39:44
    Last Modified: 05/08/2006 17:10:10
    --------------------
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    FileSize: 105 Kb
    File Description: avast! antivirus service
    File Version: 4, 7, 844, 0
    Date Created: 19/02/2006 12:39:44
    Last Modified: 05/08/2006 08:23:06
    Internal Name: aswServ
    Copyright: Copyright (c) 2006 ALWIL Software
    Original Filename: aswServ.exe
    Product Name: avast! Antivirus
    Product Version: 4, 7, 0, 0
    --------------------
    C:\WINDOWS\Explorer.EXE
    FileSize: 1012 Kb
    Company Name: Microsoft Corporation
    File Description: Explorateur Windows
    File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:09:54
    Internal Name: explorer
    Copyright: © Microsoft Corporation. Tous droits réservés.
    Original Filename: EXPLORER.EXE
    Product Name: Système d'exploitation Microsoft® Windows®
    Product Version: 6.00.2900.2180
    --------------------
    C:\WINDOWS\system32\crypserv.exe
    FileSize: 51 Kb
    Company Name: Kenonic Controls Ltd.
    File Description: CrypKey NT Service
    File Version: 5.4.0
    Date Created: 18/06/2006 17:01:46
    Last Modified: 29/06/2000 10:45:10
    Internal Name: crypserv
    Copyright: Copyright © 2000
    Trademark: CrypKey
    Original Filename: crypserv.exe
    Product Name: CrypKey Software Licensing System
    Product Version: 5.4
    Special Build: Fixes short\long path problem
    Comments: Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths
    --------------------
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    FileSize: 168 Kb
    Company Name: Anti-Malware Development a.s.
    File Description: ewido anti-spyware guard
    File Version: 4, 0, 0, 172
    Date Created: 16/06/2006 16:38:44
    Last Modified: 16/06/2006 16:38:44
    Internal Name: ewido anti-spywareguard
    Copyright: Copyright © 2005 Anti-Malware Development a.s.
    Original Filename: guard.exe
    Product Name: ewido anti-spyware
    Product Version: 4, 0, 0, 172
    Special Build: Ewido_2006_0616_163629(172), SVNRev 43094 (/trunk)
    --------------------
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    FileSize: 196 Kb
    Company Name: Symantec Corporation
    File Description: Norton Ghost Start
    File Version: 2003.793
    Date Created: 17/12/2003 16:51:44
    Last Modified: 17/12/2003 16:51:44
    Internal Name: GhostStartService
    Copyright: Copyright (C) 1998-2003 Symantec Corp. All rights reserved.
    Original Filename: GhostStartService.exe
    Product Name: Norton Ghost Start Service
    Product Version: 2003.793
    --------------------
    C:\WINDOWS\system32\slserv.exe
    FileSize: 44 Kb
    Company Name:
    File Description: User-Level Modem Service
    File Version: 2.80.00(24Apr2000)
    Date Created: 06/08/2003 04:17:17
    Last Modified: 17/01/2003 03:02:38
    Internal Name: slserv
    Copyright: Copyright © 1999-2000
    Trademark:
    Original Filename: slserv.exe
    Private Build:
    Product Name: Modem
    Product Version: 2.80.00
    Special Build:
    Comments:
    --------------------
    C:\WINDOWS\System32\svchost.exe
    FileSize: 14 Kb
    Company Name: Microsoft Corporation
    File Description: Generic Host Process for Win32 Services
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:10:04
    Internal Name: svchost.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: svchost.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\system32\wdfmgr.exe
    FileSize: 38 Kb
    Company Name: Microsoft Corporation
    File Description: Windows User Mode Driver Manager
    File Version: 5.2.3790.1230 built by: DNSRV(bld4act)
    Date Created: 10/08/2004 23:05:14
    Last Modified: 10/08/2004 23:05:14
    Internal Name: WdfMgr
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: WdfMgr.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.2.3790.1230
    --------------------
    C:\WINDOWS\System32\alg.exe
    FileSize: 43 Kb
    Company Name: Microsoft Corporation
    File Description: Application Layer Gateway Service
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 30/08/2002 14:00:00
    Last Modified: 19/08/2004 16:09:52
    Internal Name: ALG.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: ALG.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    C:\WINDOWS\System32\hkcmd.exe
    FileSize: 112 Kb
    Company Name: Intel Corporation
    File Description: hkcmd Module
    File Version: 3,0,0,2104
    Date Created: 06/08/2003 04:17:41
    Last Modified: 07/04/2003 00:07:38
    Internal Name: HKCMD
    Copyright: Copyright 1999-2003, Intel Corporation
    Original Filename: HKCMD.EXE
    Product Name: Intel(R) Common User Interface
    Product Version: 7,0,0,2104
    --------------------
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    FileSize: 37 Kb
    Company Name: Logitech Inc.
    File Description: Logitech Events Handler Application
    File Version: 9.76.046
    Date Created: 18/11/2004 00:29:31
    Last Modified: 19/03/2003 10:50:00
    Internal Name: Em_Exec
    Copyright: (C) 1987-2003 Logitech. All rights reserved.
    Trademark: Logitech® and MouseWare® are registered trademarks of Logitech Inc.
    Original Filename: Em_Exec.exe
    Product Name: MouseWare
    Product Version: 9.76.046
    Comments: Created by the MouseWare team
    --------------------
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    FileSize: 105 Kb
    File Description: avast! service GUI component
    File Version: 5, 0, 0, 0
    Date Created: 19/02/2006 12:39:44
    Last Modified: 05/08/2006 08:23:12
    Internal Name: aswDisp
    Copyright: Copyright (c) 2006 ALWIL Software
    Original Filename: aswDisp.exe
    Product Name: avast! Antivirus
    Product Version: 5, 0, 0, 0
    --------------------
    C:\Program Files\Windows Defender\MSASCui.exe
    FileSize: 759 Kb
    Company Name: Microsoft Corporation
    File Description: Windows Defender User Interface
    File Version: 1.1.1347.0
    Date Created: 03/04/2006 18:12:24
    Last Modified: 03/04/2006 18:12:24
    Internal Name: MSASCUI
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: MSASCUI.exe
    Product Name: Windows Defender
    Product Version: 1.1.1347.0
    --------------------
    C:\Program Files\Messenger\msmsgs.exe
    FileSize: 1.62 Mb
    Company Name: Microsoft Corporation
    File Description: Windows Messenger
    File Version: 4.7.3001
    Date Created: 14/04/2003 21:05:50
    Last Modified: 13/10/2004 18:24:38
    Internal Name: msmsgs
    Copyright: Copyright (c) Microsoft Corporation 2004
    Trademark: Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    Original Filename: msmsgs.exe
    Product Name: Messenger
    Product Version: Version 4.7.3001
    --------------------
    C:\Documents and Settings\All Users\Application Data\Trojan Remover\cpc2D5.exe
    FileSize: 1.58 Mb
    [This is a Trojan Remover component]
    --------------------
    C:\Documents and Settings\All Users\Application Data\Trojan Remover\cpc2D5.exe
    FileSize: 1.58 Mb
    [This is a Trojan Remover component]
    --------------------
    C:\WINDOWS\system32\wscntfy.exe
    FileSize: 13 Kb
    Company Name: Microsoft Corporation
    File Description: Windows Security Center Notification App
    File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Date Created: 25/05/2005 15:13:03
    Last Modified: 19/08/2004 16:10:06
    Internal Name: wscntfy.exe
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: wscntfy.exe
    Product Name: Microsoft® Windows® Operating System
    Product Version: 5.1.2600.2180
    --------------------
    Checking Registry exefile command for modifications
    Checking Registry comfile command for modifications
    Checking Registry piffile command for modifications
    Checking Registry batfile command for modifications
    Checking Registry regfile command for modifications
    Checking Registry cmdfile command for modifications
    Checking Registry scrfile command for modifications
    ------------------------------
    00:56:16: Scanning ----------WIN.INI-----------
    WIN.INI found in C:\WINDOWS
    ------------------------------
    00:56:16: Scanning --------SYSTEM.INI---------
    SYSTEM.INI found in C:\WINDOWS
    ------------------------------
    00:56:16: ----- SCANNING FOR ROOTKIT SERVICES -----
    No hidden Services were detected.
    ------------------------------
    00:56:16: Scanning -----WINDOWS REGISTRY-----
    Checking HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd
    --------------------
    Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
    --------------------
    Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
    This key's "Shell" value calls the following program(s):
    Explorer.exe - this entry has been left in place
    --------------------
    This key's "Userinit" value calls the following program(s):
    C:\WINDOWS\system32\userinit.exe - this entry has been left in place
    --------------------
    --------------------
    Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    --------------------
    Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    Value Name = load
    The Data Value for this entry appears to be blank
    --------------------
    --------------------
    Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    This Registry Key attempts to run the following program(s):
    Value Name = HotKeysCmds
    Value Data = C:\WINDOWS\System32\hkcmd.exe - this command has been left in place
    --------------------
    Value Name = Logitech Utility
    Value Data = Logi_MwX.Exe - this command has been left in place
    --------------------
    Value Name = avast!
    Value Data = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - this command has been left in place
    --------------------
    Value Name = Windows Defender
    Value Data = C:\Program Files\Windows Defender\MSASCui.exe" -hide - this command has been left in place
    --------------------
    Value Name = QuickTime Task
    Value Data = C:\Program Files\QuickTime\qttask.exe" -atboottime - this command has been left in place
    --------------------
    Value Name = TrojanScanner
    Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file
    --------------------
    --------------------
    Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    This Registry Key appears to be empty
    --------------------
    Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    This Registry Key appears to be empty
    --------------------
    Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
    This Registry Key appears to be empty
    --------------------
    Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    This Registry Key appears to be empty
    --------------------
    Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    This Registry Key attempts to run the following program(s):
    Value Name = MSMSGS
    Value Data = C:\Program Files\Messenger\msmsgs.exe" /background - this command has been left in place
    --------------------
    Value Name = Skype
    Value Data = C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized - this command has been left in place
    --------------------
    --------------------
    Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    This Registry Key appears to be empty
    --------------------
    Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
    This Registry Key appears to be empty
    --------------------
    Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    This Registry Key appears to be empty
    --------------------
    Checking for an active ScreenSaver:
    ScreenSaver=C:\WINDOWS\System32\ssmypics.scr - this command has been left in place
    --------------------
    ------------------------------
    00:56:17: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
    Checking the StubPath calls in the Active Setup\Installed Components registry keys:
    Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
    StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place
    ----------
    Key=>{26923b43-4d38-484f-9b9e-de460746276c}
    StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
    ----------
    Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
    StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
    ----------
    Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED}
    StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place
    ----------
    Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C}
    StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
    ----------
    Key={7790769C-0471-11d2-AF11-00C04FA35D02}
    StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
    ----------
    Key={89820200-ECBD-11cf-8B85-00AA005B4340}
    StubPath=regsvr32.exe - this reference has been left in place
    ----------
    Key={89820200-ECBD-11cf-8B85-00AA005B4383}
    StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place
    ----------
    ------------------------------
    00:56:18: Scanning ----- NT/XP SERVICEDLL REGISTRY KEYS -----
    Checking DLL files called from the NT/XP CurrentControlSet\Services Keys:
    Key=Alerter
    ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place
    Key=AppMgmt
    ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this reference has been left in place [file not found to scan]
    Key=AudioSrv
    ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place
    Key=BITS
    ServiceDLL=C:\WINDOWS\System32\qmgr.dll - this reference has been left in place
    Key=Browser
    ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place
    Key=CryptSvc
    ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place
    Key=DcomLaunch
    ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place
    Key=Dhcp
    ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place
    Key=dmserver
    ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place
    Key=Dnscache
    ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place
    Key=ERSvc
    ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place
    Key=EventSystem
    ServiceDLL=C:\WINDOWS\System32\es.dll - this reference has been left in place
    Key=FastUserSwitchingCompatibility
    ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
    Key=helpsvc
    ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - this reference has been left in place
    Key=HidServ
    ServiceDLL=%SystemRoot%\System32\hidserv.dll - this reference has been left in place [file not found to scan]
    Key=HTTPFilter
    ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place
    Key=lanmanserver
    ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place
    Key=lanmanworkstation
    ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place
    Key=LmHosts
    ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place
    Key=Messenger
    ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place
    Key=Netman
    ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place
    Key=Nla
    ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place
    Key=NtmsSvc
    ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place
    Key=RasAuto
    ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place
    Key=RasMan
    ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place
    Key=RemoteAccess
    ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place
    Key=RpcSs
    ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place
    Key=Schedule
    ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place
    Key=seclogon
    ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place
    Key=SENS
    ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place
    Key=SharedAccess
    ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place
    Key=ShellHWDetection
    ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
    Key=srservice
    ServiceDLL=C:\WINDOWS\System32\srsvc.dll - this reference has been left in place
    Key=SSDPSRV
    ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place
    Key=stisvc
    ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place
    Key=TapiSrv
    ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place
    Key=TermService
    ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place
    Key=Themes
    ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
    Key=TrkWks
    ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place
    Key=upnphost
    ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place
    Key=W32Time
    ServiceDLL=C:\WINDOWS\System32\w32time.dll - this reference has been left in place
    Key=WebClient
    ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place
    Key=winmgmt
    ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place
    Key=WmdmPmSN
    ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place
    Key=wscsvc
    ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place
    Key=wuauserv
    ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place
    Key=WZCSVC
    ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place
    Key=xmlprov
    ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place
    ------------------------------
    00:56:24: Scanning ----- NT/XP SERVICES REGISTRY KEYS -----
    Checking files called from the NT/XP CurrentControlSet\Services Keys:
    Key=ACPI
    ImagePath=System32\DRIVERS\ACPI.sys - this reference has been left in place
    ----------
    Key=aec
    ImagePath=system32\drivers\aec.sys - this reference has been left in place
    ----------
    Key=AFD
    ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place
    ----------
    Key=ALCXWDM
    ImagePath=system32\drivers\ALCXWDM.SYS - this reference has been left in place
    ----------
    Key=ALG
    ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place
    ----------
    Key=aswUpdSv
    ImagePath="C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" - this reference has been left in place
    ----------
    Key=AsyncMac
    ImagePath=System32\DRIVERS\asyncmac.sys - this reference has been left in place
    ----------
    Key=atapi
    ImagePath=System32\DRIVERS\atapi.sys - this reference has been left in place
    ----------
    Key=Atmarpc
    ImagePath=System32\DRIVERS\atmarpc.sys - this reference has been left in place
    ----------
    Key=audstub
    ImagePath=System32\DRIVERS\audstub.sys - this reference has been left in place
    ----------
    Key=avast! Antivirus
    ImagePath="C:\Program Files\Alwil Software\Avast4\ashServ.exe" - this reference has been left in place
    ----------
    Key=avast! Mail Scanner
    ImagePath="C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service - this reference has been left in place
    ----------
    Key=avast! Web Scanner
    ImagePath="C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service - this reference has been left in place
    ----------
    Key=Cdrom
    ImagePath=System32\DRIVERS\cdrom.sys - this reference has been left in place
    ----------
    Key=CiSvc
    ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place
    ----------
    Key=ClipSrv
    ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place
    ----------
    Key=COMSysApp
    ImagePath=C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place
    ----------
    Key=Crypkey License
    ImagePath=crypserv.exe - this reference has been left in place
    ----------
    Key=Disk
    ImagePath=System32\DRIVERS\disk.sys - this reference has been left in place
    ----------
    Key=dmadmin
    ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place
    ----------
    Key=dmboot
    ImagePath=System32\drivers\dmboot.sys - this reference has been left in place
    ----------
    Key=DMusic
    ImagePath=system32\drivers\DMusic.sys - this reference has been left in place
    ----------
    Key=drmkaud
    ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place
    ----------
    Key=Eventlog
    ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
    ----------
    Key=ewido anti-spyware 4.0 driver
    ImagePath=\??\C:\Program Files\ewido anti-spyware 4.0\guard.sys - this reference has been left in place
    ----------
    Key=ewido anti-spyware 4.0 guard
    ImagePath=C:\Program Files\ewido anti-spyware 4.0\guard.exe - this reference has been left in place
    ----------
    Key=Fax
    ImagePath=%systemroot%\system32\fxssvc.exe - this reference has been left in place
    ----------
    Key=Fdc
    ImagePath=System32\DRIVERS\fdc.sys - this reference has been left in place
    ----------
    Key=Flpydisk
    ImagePath=System32\DRIVERS\flpydisk.sys - this reference has been left in place
    ----------
    Key=FltMgr
    ImagePath=system32\drivers\fltmgr.sys - this reference has been left in place
    ----------
    Key=Ftdisk
    ImagePath=System32\DRIVERS\ftdisk.sys - this reference has been left in place
    ----------
    Key=GhostStartService
    ImagePath=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe - this reference has been left in place
    ----------
    Key=GhPciScan
    ImagePath=\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys - this reference has been left in place
    ----------
    Key=Gpc
    ImagePath=System32\DRIVERS\msgpc.sys - this reference has been left in place
    ----------
    Key=HTTP
    ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place
    ----------
    Key=i8042prt
    ImagePath=System32\DRIVERS\i8042prt.sys - this reference has been left in place
    ----------
    Key=ialm
    ImagePath=System32\DRIVERS\ialmnt5.sys - this reference has been left in place
    ----------
    Key=Imapi
    ImagePath=System32\DRIVERS\imapi.sys - this reference has been left in place
    ----------
    Key=ImapiService
    ImagePath=C:\WINDOWS\System32\imapi.exe - this reference has been left in place
    ----------
    Key=IntelIde
    ImagePath=System32\DRIVERS\intelide.sys - this reference has been left in place
    ----------
    Key=intelppm
    ImagePath=System32\DRIVERS\intelppm.sys - this reference has been left in place
    ----------
    Key=ip6fw
    ImagePath=system32\drivers\ip6fw.sys - this reference has been left in place
    ----------
    Key=IpFilterDriver
    ImagePath=System32\DRIVERS\ipfltdrv.sys - this reference has been left in place
    ----------
    Key=IpInIp
    ImagePath=System32\DRIVERS\ipinip.sys - this reference has been left in place
    ----------
    Key=IpNat
    ImagePath=System32\DRIVERS\ipnat.sys - this reference has been left in place
    ----------
    Key=IPSec
    ImagePath=System32\DRIVERS\ipsec.sys - this reference has been left in place
    ----------
    Key=IRENUM
    ImagePath=System32\DRIVERS\irenum.sys - this reference has been left in place
    ----------
    Key=isapnp
    ImagePath=System32\DRIVERS\isapnp.sys - this reference has been left in place
    ----------
    Key=Kbdclass
    ImagePath=System32\DRIVERS\kbdclass.sys - this reference has been left in place
    ----------
    Key=kmixer
    ImagePath=system32\drivers\kmixer.sys - this reference has been left in place
    ----------
    Key=L8042pr2
    ImagePath=System32\DRIVERS\L8042pr2.Sys - this reference has been left in place
    ----------
    Key=LHidFlt2
    ImagePath=System32\DRIVERS\LHidFlt2.Sys - this reference has been left in place
    ----------
    Key=LHidUsb
    ImagePath=System32\Drivers\LHidUsb.Sys - this reference has been left in place
    ----------
    Key=LMouFlt2
    ImagePath=System32\DRIVERS\LMouFlt2.Sys - this reference has been left in place
    ----------
    Key=mnmsrvc
    ImagePath=C:\WINDOWS\System32\mnmsrvc.exe - this reference has been left in place
    ----------
    Key=Mouclass
    ImagePath=System32\DRIVERS\mouclass.sys - this reference has been left in place
    ----------
    Key=mouhid
    ImagePath=System32\DRIVERS\mouhid.sys - this reference has been left in place
    ----------
    Key=MRxDAV
    ImagePath=System32\DRIVERS\mrxdav.sys - this reference has been left in place
    ----------
    Key=MRxSmb
    ImagePath=System32\DRIVERS\mrxsmb.sys - this reference has been left in place
    ----------
    Key=MSDTC
    ImagePath=C:\WINDOWS\System32\msdtc.exe - this reference has been left in place
    ----------
    Key=MSIServer
    ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place
    ----------
    Key=MSKSSRV
    ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place
    ----------
    Key=MSPCLOCK
    ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place
    ----------
    Key=MSPQM
    ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place
    ----------
    Key=mssmbios
    ImagePath=System32\DRIVERS\mssmbios.sys - this reference has been left in place
    ----------
    Key=Mtlmnt5
    ImagePath=System32\DRIVERS\Mtlmnt5.sys - this reference has been left in place
    ----------
    Key=Mtlstrm
    ImagePath=System32\DRIVERS\Mtlstrm.sys - this reference has been left in place
    ----------
    Key=NdisTapi
    ImagePath=System32\DRIVERS\ndistapi.sys - this reference has been left in place
    ----------
    Key=Ndisuio
    ImagePath=System32\DRIVERS\ndisuio.sys - this reference has been left in place
    ----------
    Key=NdisWan
    ImagePath=System32\DRIVERS\ndiswan.sys - this reference has been left in place
    ----------
    Key=NetBIOS
    ImagePath=System32\DRIVERS\netbios.sys - this reference has been left in place
    ----------
    Key=NetBT
    ImagePath=System32\DRIVERS\netbt.sys - this reference has been left in place
    ----------
    Key=NetDDE
    ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place
    ----------
    Key=NetDDEdsdm
    ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place
    ----------
    Key=Netlogon
    ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
    ----------
    Key=NetworkX
    ImagePath=\SystemRoot\system32\ckldrv.sys - this reference has been left in place
    ----------
    Key=NtLmSsp
    ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
    ----------
    Key=NtMtlFax
    ImagePath=System32\DRIVERS\NtMtlFax.sys - this reference has been left in place
    ----------
    Key=NwlnkFlt
    ImagePath=System32\DRIVERS\nwlnkflt.sys - this reference has been left in place
    ----------
    Key=NwlnkFwd
    ImagePath=System32\DRIVERS\nwlnkfwd.sys - this reference has been left in place
    ----------
    Key=O&O Defrag
    ImagePath=C:\WINDOWS\system32\oodag.exe - this reference has been left in place
    ----------
    Key=Parport
    ImagePath=System32\DRIVERS\parport.sys - this reference has been left in place
    ----------
    Key=PCI
    ImagePath=System32\DRIVERS\pci.sys - this reference has been left in place
    ----------
    Key=PCIIde
    ImagePath=System32\DRIVERS\pciide.sys - this reference has been left in place
    ----------
    Key=Pcouffin
    ImagePath=System32\Drivers\Pcouffin.sys - this reference has been left in place
    ----------
    Key=PlugPlay
    ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
    ----------
    Key=PolicyAgent
    ImagePath=%SystemRoot%\System32\lsass.exe - this reference has been left in place
    ----------
    Key=PptpMiniport
    ImagePath=System32\DRIVERS\raspptp.sys - this reference has been left in place
    ----------
    Key=Processor
    ImagePath=System32\DRIVERS\processr.sys - this reference has been left in place
    ----------
    Key=ProtectedStorage
    ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
    ----------
    Key=PSched
    ImagePath=System32\DRIVERS\psched.sys - this reference has been left in place
    ----------
    Key=Ptilink
    ImagePath=System32\DRIVERS\ptilink.sys - this reference has been left in place
    ----------
    Key=PxHelp20
    ImagePath=System32\DRIVERS\PxHelp20.sys - this reference has been left in place
    ----------
    Key=RasAcd
    ImagePath=System32\DRIVERS\rasacd.sys - this reference has been left in place
    ----------
    Key=Rasl2tp
    ImagePath=System32\DRIVERS\rasl2tp.sys - this reference has been left in place
    ----------
    Key=RasPppoe
    ImagePath=System32\DRIVERS\raspppoe.sys - this reference has been left in place
    ----------
    Key=Raspti
    ImagePath=System32\DRIVERS\raspti.sys - this reference has been left in place
    ----------
    Key=Rdbss
    ImagePath=System32\DRIVERS\rdbss.sys - this reference has been left in place
    ----------
    Key=RDPCDD
    ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place
    ----------
    Key=RDSessMgr
    ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place
    ----------
    Key=RecAgent
    ImagePath=\??\C:\WINDOWS\System32\DRIVERS\RecAgent.sys - this reference has been left in place
    ----------
    Key=redbook
    ImagePath=System32\DRIVERS\redbook.sys - this reference has been left in place
    ----------
    Key=RpcLocator
    ImagePath=%SystemRoot%\System32\locator.exe - this reference has been left in place
    ----------
    Key=RSVP
    ImagePath=%SystemRoot%\System32\rsvp.exe - this reference has been left in place
    ----------
    Key=rtl8139
    ImagePath=System32\DRIVERS\R8139n51.SYS - this reference has been left in place
    ----------
    Key=SamSs
    ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
    ----------
    Key=SCardSvr
    ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place
    ----------
    Key=ScsiPort
    ImagePath=%SystemRoot%\system32\drivers\scsiport.sys - this reference has been left in place
    ----------
    Key=Secdrv
    ImagePath=System32\DRIVERS\secdrv.sys - this reference has been left in place
    ----------
    Key=serenum
    ImagePath=System32\DRIVERS\serenum.sys - this reference has been left in place
    ----------
    Key=Serial
    ImagePath=System32\DRIVERS\serial.sys - this reference has been left in place
    ----------
    Key=Slntamr
    ImagePath=System32\DRIVERS\slntamr.sys - this reference has been left in place
    ----------
    Key=SlNtHal
    ImagePath=System32\DRIVERS\Slnthal.sys - this reference has been left in place
    ----------
    Key=SLService
    ImagePath=slserv.exe - this reference has been left in place
    ----------
    Key=SlWdmSup
    ImagePath=System32\DRIVERS\SlWdmSup.sys - this reference has been left in place
    ----------
    Key=splitter
    ImagePath=system32\drivers\splitter.sys - this reference has been left in place
    ----------
    Key=Spooler
    ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place
    ----------
    Key=sr
    ImagePath=System32\DRIVERS\sr.sys - this reference has been left in place
    ----------
    Key=Srv
    ImagePath=System32\DRIVERS\srv.sys - this reference has been left in place
    ----------
    Key=swenum
    ImagePath=System32\DRIVERS\swenum.sys - this reference has been left in place
    ----------
    Key=swmidi
    ImagePath=system32\drivers\swmidi.sys - this reference has been left in place
    ----------
    Key=SwPrv
    ImagePath=C:\WINDOWS\System32\dllhost.exe /Processid:{EE165A20-C9A7-4FF1-850E-85B60ED4D7BF} - this reference has been left in place
    ----------
    Key=sysaudio
    ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place
    ----------
    Key=SysmonLog
    ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place
    ----------
    Key=Tcpip
    ImagePath=System32\DRIVERS\tcpip.sys - this reference has been left in place
    ----------
    Key=TermDD
    ImagePath=System32\DRIVERS\termdd.sys - this reference has been left in place
    ----------
    Key=UMWdf
    ImagePath=C:\WINDOWS\system32\wdfmgr.exe - this reference has been left in place
    ----------
    Key=Update
    ImagePath=System32\DRIVERS\update.sys - this reference has been left in place
    ----------
    Key=UPS
    ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place
    ----------
    Key=usbehci
    ImagePath=System32\DRIVERS\usbehci.sys - this reference has been left in place
    ----------
    Key=usbhub
    ImagePath=System32\DRIVERS\usbhub.sys - this reference has been left in place
    ----------
    Key=usbscan
    ImagePath=System32\DRIVERS\usbscan.sys - this reference has been left in place
    ----------
    Key=USBSTOR
    ImagePath=System32\DRIVERS\USBSTOR.SYS - this reference has been left in place
    ----------
    Key=usbuhci
    ImagePath=System32\DRIVERS\usbuhci.sys - this reference has been left in place
    ----------
    Key=VgaSave
    ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place
    ----------
    Key=VSS
    ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place
    ----------
    Key=Wanarp
    ImagePath=System32\DRIVERS\wanarp.sys - this reference has been left in place
    ----------
    Key=wdmaud
    ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place
    ----------
    Key=WinDefend
    ImagePath="C:\Program Files\Windows Defender\MsMpEng.exe" - this reference has been left in place
    ----------
    Key=WmiApSrv
    ImagePath=C:\WINDOWS\System32\wbem\wmiapsrv.exe - this reference has been left in place
    ----------
    Key={6080A529-897E-4629-A488-ABA0C29B635E}
    ImagePath=system32\drivers\ialmsbw.sys - this reference has been left in place
    ----------
    Key={D31A0762-0CEB-444e-ACFF-B049A1F6FE91}
    ImagePath=system32\drivers\ialmkchw.sys - this reference has been left in place
    ----------
    ------------------------------
    00:56:44: Scanning -----VXD ENTRIES-----
    Checking the following VxD entries:
    VxD Key = JAVASUP
    Vxd = JAVASUP.VXD - this command has been left in place
    ---------
    Checking VMM32 VxD files being loaded
    ------------------------------
    00:56:44: Scanning ----- WINLOGON\NOTIFY DLLS -----
    Checking DLLs called from the Winlogon\Notify key:
    Key=crypt32chain
    DLLName=crypt32.dll - this reference has been left in place
    ----------
    Key=cryptnet
    DLLName=cryptnet.dll - this reference has been left in place
    ----------
    Key=cscdll
    DLLName=cscdll.dll - this reference has been left in place
    ----------
    Key=igfxcui
    DLLName=igfxsrvc.dll - this reference has been left in place
    ----------
    Key=jkkli
    DLLName=C:\WINDOWS\system32\jkkli.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION)
    DLLName=C:\WINDOWS\system32\jkkli.dll - this call has been removed
    C:\WINDOWS\system32\jkkli.dll - has HIDDEN attribute set
    C:\WINDOWS\system32\jkkli.dll - HIDDEN attribute removed
    C:\WINDOWS\system32\jkkli.dll - has SYSTEM attribute set
    C:\WINDOWS\system32\jkkli.dll - SYSTEM attribute removed
    C:\WINDOWS\system32\jkkli.dll has been marked for renaming during PC restart
    ----------
    Key=ScCertProp
    DLLName=wlnotify.dll - this reference has been left in place
    ----------
    Key=Schedule
    DLLName=wlnotify.dll - this reference has been left in place
    ----------
    Key=sclgntfy
    DLLName=sclgntfy.dll - this reference has been left in place
    ----------
    Key=SensLogn
    DLLName=WlNotify.dll - this reference has been left in place
    ----------
    Key=termsrv
    DLLName=wlnotify.dll - this reference has been left in place
    ----------
    Key=WgaLogon
    DLLName=WgaLogon.dll - this reference has been left in place
    ----------
    Key=winrkq32
    DLLName=winrkq32.dll - this reference has been left in place [file not found to scan]
    ----------
    Key=wlballoon
    DLLName=wlnotify.dll - this reference has been left in place
    ----------
    Key=WRNotifier
    DLLName=WRLogonNTF.dll - this reference has been left in place [file not found to scan]
    ----------
    ------------------------------
    00:57:53: Scanning ----- CONTEXTMENUHANDLERS -----
    Key = avast
    CLSID = {472083B0-C522-11CF-8763-00608CC02F24}
    C:\Program Files\Alwil Software\Avast4\ashShell.dll - this ContextMenuHandler has been left in place
    ----------
    Key = AVG Shell Extension
    CLSID = {1E2CDF40-419B-11D2-A5A1-002018648BA7}
    File = [CLSID does not appear to reference a file]
    ----------
    Key = BriefcaseMenu
    CLSID = {85BBD920-42A0-1069-A2E4-08002B30309D}
    syncui.dll - this ContextMenuHandler has been left in place
    ----------
    Key = ewido anti-spyware
    CLSID = {8934FCEF-F5B8-468f-951F-78A921CD3920}
    C:\Program Files\ewido anti-spyware 4.0\context.dll - this ContextMenuHandler has been left in place
    ----------
    Key = IZArcCM
    CLSID = {8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}
    C:\PROGRA~1\IZArc\IZArcCM.dll - this ContextMenuHandler has been left in place
    ----------
    Key = Offline Files
    CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03}
    %SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place
    ----------
    Key = Open With
    CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936}
    %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
    ----------
    Key = Open With EncryptionMenu
    CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
    %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
    ----------
    Key = Trojan Remover
    CLSID = {52B87208-9CCF-42C9-B88E-069281105805}
    C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place
    ----------
    Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
    ----------
    ------------------------------
    00:57:55: Scanning ----- FOLDER\COLUMNHANDLERS -----
    Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
    ----------
    Key = {24F14F01-7B1C-11d1-838f-0000F80461CF}
    %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
    ----------
    Key = {24F14F02-7B1C-11d1-838f-0000F80461CF}
    %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
    ----------
    Key = {66742402-F9B9-11D1-A202-0000F81FEDEE}
    %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
    ----------
    Key = {F9DB5320-233E-11D1-9F84-707F02C10627}
    C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - this Folder\ColumnHandler has been left in place
    ----------
    ------------------------------
    00:57:55: Scanning ----- BROWSER HELPER OBJECTS -----
    Key = {02478D38-C3F9-4EFB-9B51-7695ECA05670}
    C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - this Browser Helper Object has been left in place
    ----------
    Key = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - this Browser Helper Object has been left in place
    ----------
    Key = {53707962-6F74-2D53-2644-206D7942484F}
    C:\PROGRA~1\SPYBOT~1\SDHelper.dll - this Browser Helper Object has been left in place
    ----------
    C:\WINDOWS\system32\jkkli.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION)
    C:\WINDOWS\system32\jkkli.dll - this Browser Helper Object was being loaded by the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{61EF6ACA-27CC-41AC-9BF3-F53BF2D268B5} - this key has been removed
    C:\WINDOWS\system32\jkkli.dll - this Browser Helper Object was referenced by the following key:
    HKEY_CLASSES_ROOT\CLSID\{61EF6ACA-27CC-41AC-9BF3-F53BF2D268B5} - this key has been removed
    C:\WINDOWS\system32\jkkli.dll has been marked for renaming during PC restart
    ----------
    Key = {AA58ED58-01DD-4d91-8333-CF10577473F7}
    c:\program files\google\googletoolbar2.dll - this Browser Helper Object has been left in place
    ----------
    ------------------------------
    00:58:05: Scanning ----- SHELLSERVICEOBJECTS -----
    Key = PostBootReminder
    %SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
    ----------
    Key = CDBurn
    %SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
    ----------
    Key = WebCheck
    %SystemRoot%\System32\webcheck.dll - this ShellServiceObject has been left in place
    ----------
    Key = SysTray
    C:\WINDOWS\System32\stobject.dll - this ShellServiceObject has been left in place
    ----------
    ------------------------------
    00:58:06: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
    Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1}
    Comment = Pré-chargeur Browseui
    File: %SystemRoot%\System32\browseui.dll - this SharedTaskScheduler entry has been left in place
    ----------
    Value = {8C7461EF-2B13-11d2-BE35-3078302C2030}
    Comment = Démon de cache des catégories de composant
    File: %SystemRoot%\System32\browseui.dll - this SharedTaskScheduler entry has been left in place
    ----------
    ------------------------------
    00:58:07: Scanning ----- IMAGEFILE DEBUGGERS -----
    No "Debugger" entries found.
    ------------------------------
    00:58:07: Scanning ----- APPINIT_DLLS -----
    The AppInit_DLLs value is blank
    ------------------------------
    00:58:07: Scanning ------ COMMON STARTUP GROUP ------
    The Common Startup Group attempts to load the following file(s) at boot time:
    desktop.ini - this file is expected and has been left in place
    ------------------------------
    No User Startup Groups were located to check
    ------------------------------
    00:58:07: Scanning ----- SCHEDULED TASKS -----
    ------------------------------
    00:58:07: ----- EXTRA REGISTRY CHECKS -----
    72 subkeys checked - all ok.
    --------------------
    ------------------------------
    00:58:07: Scanning ------ DOWNLOADED PROGRAM FILES ------
    The following files are located in the DOWNLOADED PROGRAM FILES directory:
    C:\WINDOWS\Downloaded Program Files\asinst.dll - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\asinst.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\bdcore.dll - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\bdupd.dll - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\desktop.ini - this file is expected and has been left in place
    C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\erma.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\installer2.dll - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\IPIXX.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\ipixx.ocx - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\ipsupd.dll - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\iuctl.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\lang.ini - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\libfn.dll - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\live.ini - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\oscan8.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\oscan8.ocx - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\oscan81.ocx_x - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\scanoptions.tsi - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\SpyMD.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\swflash.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf - this file has been left in place
    C:\WINDOWS\Downloaded Program Files\wmvadvd.inf - this file has been left in place
    ------------------------------
    00:58:11: Checking AUTOEXEC.BAT file
    AUTOEXEC.BAT found in C:\
    No malicious entries were found in the AUTOEXEC.BAT file
    ------------------------------
    00:58:11: Checking AUTOEXEC.NT file
    AUTOEXEC.NT found in C:\WINDOWS\system32
    No malicious entries were found in the AUTOEXEC.NT file
    ------------------------------
    ------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":
    C:\WINDOWS\SYSTEM32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
    https://www.bing.com/?toHttps=1&redig=8F3F334EA60E4B1CB4D040DCFE393A89{SUB_RFC1766}/srchasst/srchcust.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
    https://www.bing.com/?toHttps=1&redig=8F3F334EA60E4B1CB4D040DCFE393A89{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":
    https://www.google.fr/?gws_rd=ssl
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page":
    C:\WINDOWS\SYSTEM32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page":
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    ------------------------------
    === CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
    Scan completed at: 06/09/2006 00:58:11
    -------------------------------------------------------------------------
    One or more files could not be moved or renamed as requested.
    They may be in use by Windows, so Trojan Remover needs
    to restart the system in order to deal with these files.
    06/09/2006 00:58:24: restart commenced
    ************************************************************

    ::Report end
    0
  3. Séb08 Messages postés 18169 Date d'inscription   Statut Contributeur Dernière intervention   1 430
     
    slt,

    tu peux refaire un scan d'Ewido car le" No action taken" que tu peux voir dans ton rapport signifie que tu n'as rien nettoyé...
    Donc relance Ewido (n'oublies pas de le mettre à jour avant) et "deleted" tout ce qu'il te trouve et colle le rapport.

    A+
    0