Infection SVCHOST.EXE

Résolu
cqfd73 Messages postés 121 Statut Membre -  
 g3n-h@ckm@n -
Bonjour,

J'ai un problème similaire à celui décrit par Elisiss le 25/02/2012 sur ce forum:
- Le PC est soudainement devenu très lent (20 minutes mini pour le démarage et l'arrêt).
- D est inaccessible (Le disque D est physiquement différent du disque C)
- Plus de laison réseau (mails et internet)
- La plupart des applications ne repondent plus ou bien partiellement.
- le bouton "démarrer" est inerte, le menu n'apparait plus.

Malheureusement, les explications données par Loumax91 pour le dépannage de Elisiss ne m'ont pas permis de faire redémarrer correctement la machine.

Petites indications :
- j'ai réussi, avec beaucoup de patience, à lancer Avast après avoir fait un démarrage sans echec. Avast a mouliné pendant 2 heures. La barre de progression est restée sur 0%. La première (et unique) ligne apparue sur le scan d'Avast me parait louche :
SVC: wudfsvc>C:WINDOWS\SYSTEM32\SVCHOST.EXE
- J'ai également lancé Malwarebytes qui, à priori, a fonctionné correctement. Cependant, le scan n'a rien detecté de suspect.

Voilà le triste tableau !

Merci pour votre aide

90 réponses

  • 1
  • 2
  • 3
  • 4
  • 5
Résumé de la discussion

Un PC sous Windows 7 présente des lenteurs extrêmes et des défaillances système généralisées: démarrage et arrêt très longs, l’accès au lecteur D bloqué, la liaison réseau perdue et de nombreuses applications qui ne répondent plus, le bouton Démarrer restant inopérant.
Des indices techniques apparaissent: Avast en démarrage sans échec affiche une ligne suspecte “SVC: wudfsvc>C:\WINDOWS\SYSTEM32\SVCHOST.EXE”, et le scan reste bloqué à 0% après plusieurs heures.
Malwarebytes ne détecte rien de suspect malgré les symptômes, et les échanges évoquent l’utilisation de pré-scans et d’outils comme Pre_Scan, ZHPDiag et ComboFix pour diagnostiquer et nettoyer le système.
Les discussions se concentrent sur les procédures à suivre et les précautions à prendre avec ces outils, sans qu’une solution concluant soit décrite.

Généré automatiquement par IA
sur la base des meilleures réponses
  1. g3n-h@ckm@n
     
    il a 1000 ans ton pc ?
    1
    1. cqfd73 Messages postés 121 Statut Membre
       
      Bon, j'espère que je me suis bien exprimé.

      Oui, le clavier est raccordé sur un port USB du PC.

      Mais il est loin d'avoir 1000 ans (le PC), puisque je l'ai acheté au mois de fevrier 2012 !

      Je sais que l'informatique se déprécie vite, mais quand même !
      0
  2. Utilisateur anonyme
     
    Bonsoir,

    Pas de soucis, on va débloquer le pc puis le traiter:

    http://www.security-helpzone.com/Thread-Pre-Scan-Mode-nettoyage

    A faire stp,
    0
    1. cqfd73 Messages postés 121 Statut Membre
       
      Merci de te pencher sur mon douloureux cas.
      J'ai d'ores et dejà une info à donner. Il est ipossible d'installer ZHPDiag sur le poste infecté. Lorsque je le lance, le message suivant s'affiche :

      L'assistant d'installation n'a pas pu créer le dossier
      "C:\User\AppData\Local\Temp\is-DTQI?tm"
      Erreur 5 : Accès refusé
      0
    2. Utilisateur anonyme
       
      Ne lance que Pre_Scan ci-dessus, pas de ZHPdiag.
      0
    3. cqfd73 Messages postés 121 Statut Membre
       
      Je m'y emploi.

      J'ai du redémarrer Windows en mode sans echec car l'explorateur moulinait tellement que la clé USB que j'utilise pour transférer les fichiers du PC sain vers le PC infecté n'est pas apparue dans l'explorateur. C'est long ...
      0
    4. Utilisateur anonyme
       
      Parfait,

      Allez, un peu de courage ;-)
      0
    5. cqfd73 Messages postés 121 Statut Membre
       
      Il y a un souci.
      Winlogon ne parvient pas à termier son scan (le PC tourne actuellement en mode sans echec).
      Message d'erreur affiché :

      Line 6113 (File "C:\users\user\desktop\winlogon.exe")
      Error : variable must be of type "object"
      0
  3. g3n-h@ckm@n
     
    salut je suis le concepteur de pre_scan

    as-tu possibilité de reactiver la rstauration systeme ?

    ¤¤¤¤¤¤¤¤¤¤ Pre_Scan_Concept ¤¤¤¤¤¤¤¤¤¤
    0
  4. cqfd73 Messages postés 121 Statut Membre
     
    Bonjour g3n-h@ckm@n,

    Peux-tu préciser ta question ?
    Quelle serait la manip à réaliser ?
    0
    1. g3n-h@ckm@n
       
      c'est ok fais ce que demande saachaa juste en dessous je vous laisse :)
      0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Utilisateur anonyme
     
    Bonjour,

    Pour ta ligne aucun soucis,

    Vire ton Pre_Scan et re-télécharge le nouveau sur le lien donné plus haut, puis lance-le en mode sans échec.
    0
  7. cqfd73 Messages postés 121 Statut Membre
     
    Bonjour Saachaa,

    Mes problèmes ne s'arrangent pas.

    J'ai ouvert une session administrateur (utilisateur habituel) en mode sans echec et j'ai pu installer Winlogon (version 2). voici le resultat :
    - Fonction CMD : OK
    - Fonction RECEDIT : OK
    - Fonction SERVICES : OK
    - Fonction SCRIPT : Aucune réaction
    - Fonction DIAG : le scan est resté bloqué à la ligne "C:\WINDOWS\SYSTEM 32\WUDFDd.SYS"
    - J'ai néanmois réussis à faire tourner entièrement la fonction CHK.SCV dont le rapport est joint ci-dessous.

    Ensuite, je ne sais pas si j'ai fais une connerie ou pas (utilisation de la fonction KILL), mais toujours est-il que maintenant, le clavier ne répond plus sous la session Administrateur. Donc, impossible de saisir le mot de passe pour ouvrir la session.
    J'ai donc basculé vers la session Invité qui n'est pas protégé par mot de passe. C'est grace à cela que j'ai pu copier le rapport de CHK.SCV sur un CD, car cette opération était irréalisable sous la session Adminitrateur.

    D'autre part, l'ordi semble fonctionner un peu mieux lorsqu'il est ouvert sous Invité (?). Le bouton démarrer fait bien appraitre le menu, la vitesse est nettement meilleure, mais les problèmes décrits précedement perdurent. Quelques trucs bizarres tout de même, en session Invité :
    - Impossible de lancer Winlogon
    - Impossible d'ouvrir le gestionnaire des taches
    - Sans aucune application en fonctionnement, le gadget de bureau m'indique le prosseceur à 55% de charge

    Rapport CHK.SCV ci-dessous

    -----------------------------------------------------------------------------------------------

    ¤¤¤¤¤¤¤¤¤¤ | BFE

    [HKLM\System\Currentcontrolset\Services\BFE]|[DisplayName] : @%SystemRoot%\system32\bfe.dll,-1001
    [HKLM\System\Currentcontrolset\Services\BFE]|[Group] : NetworkProvider
    [HKLM\System\Currentcontrolset\Services\BFE]|[ImagePath] : %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
    [HKLM\System\Currentcontrolset\Services\BFE]|[Description] : @%SystemRoot%\system32\bfe.dll,-1002
    [HKLM\System\Currentcontrolset\Services\BFE]|[ObjectName] : NT AUTHORITY\LocalService
    [HKLM\System\Currentcontrolset\Services\BFE]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\BFE]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\BFE]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\BFE]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\BFE]|[ServiceSidType] : 3
    [HKLM\System\Currentcontrolset\Services\BFE]|[RequiredPrivileges] : SeAuditPrivilege
    [HKLM\System\Currentcontrolset\Services\BFE]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDll] : %SystemRoot%\System32\bfe.dll
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceMain] : BfeServiceMain

    ¤¤¤¤¤¤¤¤¤¤ | BITS

    [HKLM\System\Currentcontrolset\Services\BITS]|[DisplayName] : @%SystemRoot%\system32\qmgr.dll,-1000
    [HKLM\System\Currentcontrolset\Services\BITS]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k netsvcs
    [HKLM\System\Currentcontrolset\Services\BITS]|[Description] : @%SystemRoot%\system32\qmgr.dll,-1001
    [HKLM\System\Currentcontrolset\Services\BITS]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\BITS]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\BITS]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\BITS]|[DependOnService] : RpcSs
    EventSystem
    [HKLM\System\Currentcontrolset\Services\BITS]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[RequiredPrivileges] : SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    SeTcbPrivilege
    SeAssignPrimaryTokenPrivilege
    SeIncreaseQuotaPrivilege
    [HKLM\System\Currentcontrolset\Services\BITS]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000001000000C0D401000000000000000000
    [HKLM\System\Currentcontrolset\Services\BITS\Parameters]|[ServiceDll] : %SystemRoot%\System32\qmgr.dll
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Library] : bitsperf.dll
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Open] : PerfMon_Open
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Collect] : PerfMon_Collect
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Close] : PerfMon_Close
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[InstallType] : 1
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfIniFile] : bitsctrs.ini
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Counter] : 2156
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Counter] : 2172
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Help] : 2157
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Help] : 2173
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Object List] : 2156
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfMMFileName] : Global\MMF_BITS_s
    [HKLM\System\Currentcontrolset\Services\BITS\Security]|[Security] : 0x0100148090000000A00000001400000034000000020020000100000002C0180000000C000102000000000005200000002002000002005C000400000000021400FF010F0001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D0102000101000000000005060000000102000000000005200000002002000001020000000000052000000020020000

    ¤¤¤¤¤¤¤¤¤¤ | Cryptsvc

    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DisplayName] : @%SystemRoot%\system32\cryptsvc.dll,-1001
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k NetworkService
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Description] : @%SystemRoot%\system32\cryptsvc.dll,-1002
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ObjectName] : NT Authority\NetworkService
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Start] : 3
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDll] : %SystemRoot%\system32\cryptsvc.dll
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceMain] : CryptServiceMain
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Security]|[Security] : 0x00000E0001

    ¤¤¤¤¤¤¤¤¤¤ | MPSSVC

    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[DisplayName] : @%SystemRoot%\system32\FirewallAPI.dll,-23090
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Group] : NetworkProvider
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Description] : @%SystemRoot%\system32\FirewallAPI.dll,-23091
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ObjectName] : NT Authority\LocalService
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[DependOnService] : mpsdrv
    bfe
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ServiceSidType] : 3
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[RequiredPrivileges] : SeAssignPrimaryTokenPrivilege
    SeAuditPrivilege
    SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    SeIncreaseQuotaPrivilege
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDll] : %SystemRoot%\system32\mpssvc.dll
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Security]|[Security] : 0x01001480B4000000C0000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020084000500000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D010200010100000000000506000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | RPCSS

    [HKLM\System\Currentcontrolset\Services\RPCSS]|[DisplayName] : @oleres.dll,-5010
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Group] : COM Infrastructure
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k rpcss
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Description] : @oleres.dll,-5011
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ObjectName] : NT AUTHORITY\NetworkService
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Start] : 2
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[DependOnService] : RpcEptMapper
    DcomLaunch
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[FailureActions] : 0x00000000000000000000000001000000000000000200000060EA0000
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\RPCSS\Parameters]|[ServiceDll] : %SystemRoot%\system32\rpcss.dll
    [HKLM\System\Currentcontrolset\Services\RPCSS\Security]|[Security] : 0x01001480900000009C000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200600004000000000014008500020001010000000000050B00000000001400FF000E0001010000000000051200000000001800FD000E0001020000000000052000000020020000000018008500000001020000000000052000000021020000010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | Windefend

    [HKLM\System\Currentcontrolset\Services\Windefend]|[DisplayName] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k secsvcs
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Start] : 2
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Description] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-1176
    [HKLM\System\Currentcontrolset\Services\Windefend]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[RequiredPrivileges] : SeImpersonatePrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeChangeNotifyPrivilege
    SeSecurityPrivilege
    SeShutdownPrivilege
    SeIncreaseQuotaPrivilege
    SeAssignPrimaryTokenPrivilege
    [HKLM\System\Currentcontrolset\Services\Windefend]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
    [HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDll] : %ProgramFiles%\Windows Defender\mpsvc.dll
    [HKLM\System\Currentcontrolset\Services\Windefend\Security]|[Security] : 0x01001480DC000000E8000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200AC000600000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC0026487000B280000000010010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014009D010200010100000000000506000000010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | wscsvc

    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DisplayName] : @%SystemRoot%\System32\wscsvc.dll,-200
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Description] : @%SystemRoot%\System32\wscsvc.dll,-201
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DependOnService] : RpcSs
    WinMgmt
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ObjectName] : NT AUTHORITY\LocalService
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDll] : %SystemRoot%\System32\wscsvc.dll
    [HKLM\System\Currentcontrolset\Services\wscsvc\Security]|[Security] : 0x01001480C8000000D4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | wuauserv

    [HKLM\System\Currentcontrolset\Services\wuauserv]|[PreshutdownTimeout] : 57600000
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DisplayName] : @%systemroot%\system32\wuaueng.dll,-105
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ImagePath] : %systemroot%\system32\svchost.exe -k netsvcs
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Description] : @%systemroot%\system32\wuaueng.dll,-106
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DependOnService] : rpcss
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[RequiredPrivileges] : SeAuditPrivilege
    SeCreateGlobalPrivilege
    SeCreatePageFilePrivilege
    SeTcbPrivilege
    SeAssignPrimaryTokenPrivilege
    SeImpersonatePrivilege
    SeIncreaseQuotaPrivilege
    SeShutdownPrivilege
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDll] : %systemroot%\system32\wuaueng.dll
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceMain] : WUServiceMain
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv\Security]|[Security] : 0x010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | BFE

    [HKLM\System\Currentcontrolset\Services\BFE]|[DisplayName] : @%SystemRoot%\system32\bfe.dll,-1001
    [HKLM\System\Currentcontrolset\Services\BFE]|[Group] : NetworkProvider
    [HKLM\System\Currentcontrolset\Services\BFE]|[ImagePath] : %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
    [HKLM\System\Currentcontrolset\Services\BFE]|[Description] : @%SystemRoot%\system32\bfe.dll,-1002
    [HKLM\System\Currentcontrolset\Services\BFE]|[ObjectName] : NT AUTHORITY\LocalService
    [HKLM\System\Currentcontrolset\Services\BFE]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\BFE]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\BFE]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\BFE]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\BFE]|[ServiceSidType] : 3
    [HKLM\System\Currentcontrolset\Services\BFE]|[RequiredPrivileges] : SeAuditPrivilege
    [HKLM\System\Currentcontrolset\Services\BFE]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDll] : %SystemRoot%\System32\bfe.dll
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceMain] : BfeServiceMain

    ¤¤¤¤¤¤¤¤¤¤ | BITS

    [HKLM\System\Currentcontrolset\Services\BITS]|[DisplayName] : @%SystemRoot%\system32\qmgr.dll,-1000
    [HKLM\System\Currentcontrolset\Services\BITS]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k netsvcs
    [HKLM\System\Currentcontrolset\Services\BITS]|[Description] : @%SystemRoot%\system32\qmgr.dll,-1001
    [HKLM\System\Currentcontrolset\Services\BITS]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\BITS]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\BITS]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\BITS]|[DependOnService] : RpcSs
    EventSystem
    [HKLM\System\Currentcontrolset\Services\BITS]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[RequiredPrivileges] : SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    SeTcbPrivilege
    SeAssignPrimaryTokenPrivilege
    SeIncreaseQuotaPrivilege
    [HKLM\System\Currentcontrolset\Services\BITS]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000001000000C0D401000000000000000000
    [HKLM\System\Currentcontrolset\Services\BITS\Parameters]|[ServiceDll] : %SystemRoot%\System32\qmgr.dll
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Library] : bitsperf.dll
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Open] : PerfMon_Open
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Collect] : PerfMon_Collect
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Close] : PerfMon_Close
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[InstallType] : 1
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfIniFile] : bitsctrs.ini
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Counter] : 2156
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Counter] : 2172
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Help] : 2157
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Help] : 2173
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Object List] : 2156
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfMMFileName] : Global\MMF_BITS_s
    [HKLM\System\Currentcontrolset\Services\BITS\Security]|[Security] : 0x0100148090000000A00000001400000034000000020020000100000002C0180000000C000102000000000005200000002002000002005C000400000000021400FF010F0001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D0102000101000000000005060000000102000000000005200000002002000001020000000000052000000020020000

    ¤¤¤¤¤¤¤¤¤¤ | Cryptsvc

    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DisplayName] : @%SystemRoot%\system32\cryptsvc.dll,-1001
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k NetworkService
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Description] : @%SystemRoot%\system32\cryptsvc.dll,-1002
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ObjectName] : NT Authority\NetworkService
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Start] : 3
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDll] : %SystemRoot%\system32\cryptsvc.dll
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceMain] : CryptServiceMain
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Security]|[Security] : 0x00000E0001

    ¤¤¤¤¤¤¤¤¤¤ | MPSSVC

    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[DisplayName] : @%SystemRoot%\system32\FirewallAPI.dll,-23090
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Group] : NetworkProvider
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Description] : @%SystemRoot%\system32\FirewallAPI.dll,-23091
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ObjectName] : NT Authority\LocalService
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[DependOnService] : mpsdrv
    bfe
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ServiceSidType] : 3
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[RequiredPrivileges] : SeAssignPrimaryTokenPrivilege
    SeAuditPrivilege
    SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    SeIncreaseQuotaPrivilege
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDll] : %SystemRoot%\system32\mpssvc.dll
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Security]|[Security] : 0x01001480B4000000C0000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020084000500000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D010200010100000000000506000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | RPCSS

    [HKLM\System\Currentcontrolset\Services\RPCSS]|[DisplayName] : @oleres.dll,-5010
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Group] : COM Infrastructure
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k rpcss
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Description] : @oleres.dll,-5011
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ObjectName] : NT AUTHORITY\NetworkService
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Start] : 2
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[DependOnService] : RpcEptMapper
    DcomLaunch
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[FailureActions] : 0x00000000000000000000000001000000000000000200000060EA0000
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\RPCSS\Parameters]|[ServiceDll] : %SystemRoot%\system32\rpcss.dll
    [HKLM\System\Currentcontrolset\Services\RPCSS\Security]|[Security] : 0x01001480900000009C000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200600004000000000014008500020001010000000000050B00000000001400FF000E0001010000000000051200000000001800FD000E0001020000000000052000000020020000000018008500000001020000000000052000000021020000010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | Windefend

    [HKLM\System\Currentcontrolset\Services\Windefend]|[DisplayName] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k secsvcs
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Start] : 2
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Description] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-1176
    [HKLM\System\Currentcontrolset\Services\Windefend]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[RequiredPrivileges] : SeImpersonatePrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeChangeNotifyPrivilege
    SeSecurityPrivilege
    SeShutdownPrivilege
    SeIncreaseQuotaPrivilege
    SeAssignPrimaryTokenPrivilege
    [HKLM\System\Currentcontrolset\Services\Windefend]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
    [HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDll] : %ProgramFiles%\Windows Defender\mpsvc.dll
    [HKLM\System\Currentcontrolset\Services\Windefend\Security]|[Security] : 0x01001480DC000000E8000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200AC000600000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC0026487000B280000000010010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014009D010200010100000000000506000000010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | wscsvc

    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DisplayName] : @%SystemRoot%\System32\wscsvc.dll,-200
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Description] : @%SystemRoot%\System32\wscsvc.dll,-201
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DependOnService] : RpcSs
    WinMgmt
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ObjectName] : NT AUTHORITY\LocalService
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDll] : %SystemRoot%\System32\wscsvc.dll
    [HKLM\System\Currentcontrolset\Services\wscsvc\Security]|[Security] : 0x01001480C8000000D4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | wuauserv

    [HKLM\System\Currentcontrolset\Services\wuauserv]|[PreshutdownTimeout] : 57600000
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DisplayName] : @%systemroot%\system32\wuaueng.dll,-105
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ImagePath] : %systemroot%\system32\svchost.exe -k netsvcs
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Description] : @%systemroot%\system32\wuaueng.dll,-106
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DependOnService] : rpcss
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[RequiredPrivileges] : SeAuditPrivilege
    SeCreateGlobalPrivilege
    SeCreatePageFilePrivilege
    SeTcbPrivilege
    SeAssignPrimaryTokenPrivilege
    SeImpersonatePrivilege
    SeIncreaseQuotaPrivilege
    SeShutdownPrivilege
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDll] : %systemroot%\system32\wuaueng.dll
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceMain] : WUServiceMain
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv\Security]|[Security] : 0x010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | BFE

    [HKLM\System\Currentcontrolset\Services\BFE]|[DisplayName] : @%SystemRoot%\system32\bfe.dll,-1001
    [HKLM\System\Currentcontrolset\Services\BFE]|[Group] : NetworkProvider
    [HKLM\System\Currentcontrolset\Services\BFE]|[ImagePath] : %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
    [HKLM\System\Currentcontrolset\Services\BFE]|[Description] : @%SystemRoot%\system32\bfe.dll,-1002
    [HKLM\System\Currentcontrolset\Services\BFE]|[ObjectName] : NT AUTHORITY\LocalService
    [HKLM\System\Currentcontrolset\Services\BFE]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\BFE]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\BFE]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\BFE]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\BFE]|[ServiceSidType] : 3
    [HKLM\System\Currentcontrolset\Services\BFE]|[RequiredPrivileges] : SeAuditPrivilege
    [HKLM\System\Currentcontrolset\Services\BFE]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDll] : %SystemRoot%\System32\bfe.dll
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceMain] : BfeServiceMain

    ¤¤¤¤¤¤¤¤¤¤ | BITS

    [HKLM\System\Currentcontrolset\Services\BITS]|[DisplayName] : @%SystemRoot%\system32\qmgr.dll,-1000
    [HKLM\System\Currentcontrolset\Services\BITS]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k netsvcs
    [HKLM\System\Currentcontrolset\Services\BITS]|[Description] : @%SystemRoot%\system32\qmgr.dll,-1001
    [HKLM\System\Currentcontrolset\Services\BITS]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\BITS]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\BITS]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\BITS]|[DependOnService] : RpcSs
    EventSystem
    [HKLM\System\Currentcontrolset\Services\BITS]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\BITS]|[RequiredPrivileges] : SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    SeTcbPrivilege
    SeAssignPrimaryTokenPrivilege
    SeIncreaseQuotaPrivilege
    [HKLM\System\Currentcontrolset\Services\BITS]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000001000000C0D401000000000000000000
    [HKLM\System\Currentcontrolset\Services\BITS\Parameters]|[ServiceDll] : %SystemRoot%\System32\qmgr.dll
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Library] : bitsperf.dll
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Open] : PerfMon_Open
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Collect] : PerfMon_Collect
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Close] : PerfMon_Close
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[InstallType] : 1
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfIniFile] : bitsctrs.ini
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Counter] : 2156
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Counter] : 2172
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Help] : 2157
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Help] : 2173
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Object List] : 2156
    [HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfMMFileName] : Global\MMF_BITS_s
    [HKLM\System\Currentcontrolset\Services\BITS\Security]|[Security] : 0x0100148090000000A00000001400000034000000020020000100000002C0180000000C000102000000000005200000002002000002005C000400000000021400FF010F0001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D0102000101000000000005060000000102000000000005200000002002000001020000000000052000000020020000

    ¤¤¤¤¤¤¤¤¤¤ | Cryptsvc

    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DisplayName] : @%SystemRoot%\system32\cryptsvc.dll,-1001
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k NetworkService
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Description] : @%SystemRoot%\system32\cryptsvc.dll,-1002
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ObjectName] : NT Authority\NetworkService
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Start] : 3
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\Cryptsvc]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDll] : %SystemRoot%\system32\cryptsvc.dll
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceMain] : CryptServiceMain
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\Cryptsvc\Security]|[Security] : 0x00000E0001

    ¤¤¤¤¤¤¤¤¤¤ | MPSSVC

    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[DisplayName] : @%SystemRoot%\system32\FirewallAPI.dll,-23090
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Group] : NetworkProvider
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Description] : @%SystemRoot%\system32\FirewallAPI.dll,-23091
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ObjectName] : NT Authority\LocalService
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[DependOnService] : mpsdrv
    bfe
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[ServiceSidType] : 3
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[RequiredPrivileges] : SeAssignPrimaryTokenPrivilege
    SeAuditPrivilege
    SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    SeIncreaseQuotaPrivilege
    [HKLM\System\Currentcontrolset\Services\MPSSVC]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDll] : %SystemRoot%\system32\mpssvc.dll
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\MPSSVC\Security]|[Security] : 0x01001480B4000000C0000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020084000500000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D010200010100000000000506000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | RPCSS

    [HKLM\System\Currentcontrolset\Services\RPCSS]|[DisplayName] : @oleres.dll,-5010
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Group] : COM Infrastructure
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k rpcss
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Description] : @oleres.dll,-5011
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ObjectName] : NT AUTHORITY\NetworkService
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Start] : 2
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[DependOnService] : RpcEptMapper
    DcomLaunch
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[FailureActions] : 0x00000000000000000000000001000000000000000200000060EA0000
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\RPCSS]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\RPCSS\Parameters]|[ServiceDll] : %SystemRoot%\system32\rpcss.dll
    [HKLM\System\Currentcontrolset\Services\RPCSS\Security]|[Security] : 0x01001480900000009C000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200600004000000000014008500020001010000000000050B00000000001400FF000E0001010000000000051200000000001800FD000E0001020000000000052000000020020000000018008500000001020000000000052000000021020000010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | Windefend

    [HKLM\System\Currentcontrolset\Services\Windefend]|[DisplayName] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k secsvcs
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Start] : 2
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\Windefend]|[Description] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-1176
    [HKLM\System\Currentcontrolset\Services\Windefend]|[DependOnService] : RpcSs
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\Windefend]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[RequiredPrivileges] : SeImpersonatePrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeChangeNotifyPrivilege
    SeSecurityPrivilege
    SeShutdownPrivilege
    SeIncreaseQuotaPrivilege
    SeAssignPrimaryTokenPrivilege
    [HKLM\System\Currentcontrolset\Services\Windefend]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
    [HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDll] : %ProgramFiles%\Windows Defender\mpsvc.dll
    [HKLM\System\Currentcontrolset\Services\Windefend\Security]|[Security] : 0x01001480DC000000E8000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200AC000600000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC0026487000B280000000010010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014009D010200010100000000000506000000010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | wscsvc

    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DisplayName] : @%SystemRoot%\System32\wscsvc.dll,-200
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[Description] : @%SystemRoot%\System32\wscsvc.dll,-201
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DependOnService] : RpcSs
    WinMgmt
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ObjectName] : NT AUTHORITY\LocalService
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
    SeImpersonatePrivilege
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    [HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDll] : %SystemRoot%\System32\wscsvc.dll
    [HKLM\System\Currentcontrolset\Services\wscsvc\Security]|[Security] : 0x01001480C8000000D4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000

    ¤¤¤¤¤¤¤¤¤¤ | wuauserv

    [HKLM\System\Currentcontrolset\Services\wuauserv]|[PreshutdownTimeout] : 57600000
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DisplayName] : @%systemroot%\system32\wuaueng.dll,-105
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ImagePath] : %systemroot%\system32\svchost.exe -k netsvcs
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Description] : @%systemroot%\system32\wuaueng.dll,-106
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ObjectName] : LocalSystem
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ErrorControl] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Start] : 4
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DelayedAutoStart] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[Type] : 32
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[DependOnService] : rpcss
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[ServiceSidType] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[RequiredPrivileges] : SeAuditPrivilege
    SeCreateGlobalPrivilege
    SeCreatePageFilePrivilege
    SeTcbPrivilege
    SeAssignPrimaryTokenPrivilege
    SeImpersonatePrivilege
    SeIncreaseQuotaPrivilege
    SeShutdownPrivilege
    [HKLM\System\Currentcontrolset\Services\wuauserv]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDll] : %systemroot%\system32\wuaueng.dll
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceMain] : WUServiceMain
    [HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDllUnloadOnStop] : 1
    [HKLM\System\Currentcontrolset\Services\wuauserv\Security]|[Security] : 0x010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000
    0
  8. g3n-h@ckm@n
     
    les trois quarts des services sont desactivés.....

    telecharge ici : Load_SalityKiller

    Desactive tes protections

    lance-le , clique sur lancer le nettoyage

    à la fin SalityKiller.txt se mettra sur ton bureau

    ▶▶▶ NE LE POSTE PAS SUR LE FORUM (il est trop long)

    clic droit dessus , envoyer vers , dossiers compressés

    ensuite :

    tu m'envoies l'archive comme ceci :

    clique sur ce lien : http://www.cijoint.fr/

    ▶ Clique sur Parcourir et cherche le fichier ci-dessus.

    ▶ Clique sur Ouvrir.

    ▶ Clique sur "Cliquez ici pour déposer le fichier".

    Un lien de cette forme :

    http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt

    est ajouté dans la page.

    ▶ Copie ce lien dans ta réponse.
    0
  9. cqfd73 Messages postés 121 Statut Membre
     
    Bonjour g3n-h@ckm@n,

    Problème : le lien renvoie vers une erreur 404. Il m'est donc impossible de télécharger le logiciel.

    Peux-tu être plus précis quant à la désactivation des protections ?

    Merci
    0
    1. Utilisateur anonyme
       
      Désactiver ton antivirus / pare-feu.

      -> http://www.forums-fec.be/gen-hackman/Load_SalityKiller.exe
      0
    2. g3n-h@ckm@n
       
      ah ouais desolé j'ai oublié de la changer cette fiche...
      0
    3. cqfd73 Messages postés 121 Statut Membre
       
      Antivirus et pare-feu desactivés. J'ai bien pu télécharger Sality (désolé pour la maladresse ;-)).

      Nouveau problème : Le logiciel est maintenant intallé sur le PC infecté, mais il est impossible de le lancer. Je suis sur la session Invité, peut-être n'ai-je pas les droits pour faire cette manip ? Ce serait embetant, vu que je ne peux plus ouvrir de session Administrateur
      0
  10. g3n-h@ckm@n
     
    il faut l utiliser sur la session infectée
    0
  11. cqfd73 Messages postés 121 Statut Membre
     
    Je voudrais bien !
    La session infectée est protegée par un mot de passe et malheureusement, le clavier étant inopérant sous cette session, je ne peux pas rentrer le mot de passe.

    Aie !
    0
  12. cqfd73 Messages postés 121 Statut Membre
     
    Non, clavier filaire standard.
    0
  13. g3n-h@ckm@n
     
    usb ou PS2 ?
    0
    1. cqfd73 Messages postés 121 Statut Membre
       
      Port USB
      0
  14. g3n-h@ckm@n
     
    ca dit quoi quand tu le lances de la sesion invité ?
    0
  15. cqfd73 Messages postés 121 Statut Membre
     
    En session invité :
    actuellement, la session Invité est plantée car j'ai essayé de tester le fonctionnement du clavier sur un document TXT. Apparement, il n'a pas aimé puiqu'il rame depuis 30 min
    0
  16. cqfd73 Messages postés 121 Statut Membre
     
    J'ai redémarré la machine.

    Cela peut prendre un certain temps !

    Le problème de fonctionnement du clavier est apparu depuis l'utilisation de Winlogon. Aurais-je fais une anerie en cliquant sur "KILL" ?
    0
  17. g3n-h@ckm@n
     
    impossible il touche pas aux pilotes legitimes
    0
  18. cqfd73 Messages postés 121 Statut Membre
     
    Peut-être un redémarrage "mal controlé".
    Vu qu'il faut 20 à 30 minutes au PC pour s'arreter, il m'arrive souvent de le stopper via le bouton ON/OFF afin d'accelerer la manoeuvre.
    0
  19. cqfd73 Messages postés 121 Statut Membre
     
    Ca y est, le PC est repartit.

    Session Administrateur impossible (clavier inopérant)
    Session Invité active, mais impossible de lancer Sality. Le curser clignote comme un parkingsonien après le double clic sur l'icone, puis plus de résultat !

    Y aurait-il une solution sous DOS ?
    0
  • 1
  • 2
  • 3
  • 4
  • 5